TYPO3 Core

Benni Mack wrote:

Hey Roman,

thanks for your report. I reproduced this issue and cannot confirm your issue. However, where exactly in the frontend request do you use this code? If you use this in a "cacheable" object, and you first hit the page without a proper backend user, it is cached as "not logged in" (e.g. in a USER plugin or cacheable extbase action).

Hello Benni

Thank you very much for looking into this. The code is used in a cacheable controller action. The uncached usage is just desired when previewing the record. For this the following TSConfig is used (understanding that additionalGetParameters triggers the usage from no_cache=1):

TCEMAIN.preview {
    <table name> {
        additionalGetParameters {
            <plugin name> {
                action = show
                controller = Job
                preview = 1
            }
        }
        useCacheHash = 0
    }
}

To get the BE user the following is used now:

$className = \TYPO3\CMS\Core\Authentication\BackendUserAuthentication::class;
/** @var \TYPO3\CMS\Core\Authentication\BackendUserAuthentication $backendUser */
$backendUser = GeneralUtility::makeInstance($className);
$backendUser->start();
if (isset($backendUser->user['uid']) && $backendUser->user['uid']) {
    $beUserLoggedIn = true;
}

Hey Roman,

hmm, I still cannot reproduce this issue. Within an extbase controller (cached/uncached). Can you share more details on the plugin / controller-action code?

Hi Benni

The issue was related to the non-admin user not having access to the page beeing shown upon previewing the record beeing edited in a sys folder the non-admin user had access to:

[root]
  |
  |--- [sys folder] ...with records beeing edited. The be user has access to this folder.
  |
  |--- [page] ...where plugin to show the record is located. The be user doesn't have access to this page

This lead to the situation that the user could edit the records in the sys folder and view the result in the frontend on the page the user doesn't have be-access. In the PageResolver middleware $GLOBALS['BE_USER'] was unset due to the user not having access to the page that was viewed in the frontend.

\TYPO3\CMS\Frontend\Middleware\PageResolver:

public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
    ...
        if ($this->controller->isBackendUserLoggedIn() && !$GLOBALS['BE_USER']->doesUserHaveAccess($this->controller->page, Permission::PAGE_SHOW)) {
            unset($GLOBALS['BE_USER']);
    ...

This is quite special use case and could be solved easyly by using the BackendUserAuthentication class in the extbase controller hence this issue could be closed.

Thank you again for helping!

Hey Roman,

now i see - the main issue is the sysfolder - that the Frontend says "nope, cannot access this one"!

Hi Benni,

Isn't it rather that the backend says "this BE user can't access this page in the BE (the one that doesn't has FE restrictions) hence we don't provide information regarding this BE user when rendering the page"?