Bug #89449
closedOption "access" is ignored for backend routes
100%
Description
As mentioned in the official documentation, a backend route can be configured as publicly accessible by using the "access" property:
»The “public” access property indicates that no authentication is required for that action.«
But, when a route is added and marked as "public", still a redirect response is returned if the user is not logged in. The reason is, that only paths defined in \TYPO3\CMS\Backend\Middleware\BackendUserAuthenticator::$publicRoutes
are accessible without login.
A small hint, that this is not possible is mentioned in the documentation:
»Currently the "access" property is only used so no token creation + validation is made, but will be extended further.«
We are currently working on a custom backend login provider for TYPO3 v9, which requires to perform an AJAX request to the TYPO3 system. This request will occur before the backend user is logged in. We tried this by adding a new route to Configuration/Backend/AjaxRoutes.php
, but the request is constantly redirected to the login.
I would like to provide a fix for v9 and a sepearte fix for v10, because some methods and properties can be removed.
The fix looks more or less as following:
- match the route in a PSR-15 middleware before BackendUserAuthenticator
- use the "access" property of the route to indicate if the route can be accessed publicly
Breaking changes (for TYPO3 v10) are:
- removal of
\TYPO3\CMS\Backend\Middleware\BackendUserAuthenticator::$publicRoutes
- removal of
\TYPO3\CMS\Backend\Middleware\BackendUserAuthenticator::isLoggedInBackendUserRequired