Project

General

Profile

Actions

Bug #90989

closed

Lookup of access restricted records throws 404

Added by Reiner Kempkes over 4 years ago. Updated almost 4 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Site Handling, Site Sets & Routing
Target version:
-
Start date:
2020-04-09
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
9
PHP Version:
7.2
Tags:
PersistedAliasMapper, Access Restriction, UserAspect, User Authentication
Complexity:
Is Regression:
Sprint Focus:

Description

Preparation
News extension and Frontend user authentication is already set up and running properly (see System Environment section below).
Create a frontend user and a news record, User and news record must be assigned to the same frontend group.
As alternative use "Show at any login" (-2) as access restriction for the news record.

Log in via frontend authentication.
Access a news detail page containing an access restricted news record.

Current Behaviour
A 404 error is thrown.

Expected Behaviour
The news detail page with the given record is shown.

Debugging
I traced the issue down to the UserAspect class, which is not properly initialized.

PersistedAliasMapper->findByRouteFieldValue() is processing the news record lookup via QueryBuilder, which uses a FrontendGroupRestriction. There the 'frontend.user' aspect is utilized to determine valid frontend groups. Therefore UserAspect->isLoggedIn() is called, but the second condition of the first return statement fails, even when the user is logged in properly. This is caused due to an empty $this->user->groupData['uid'] array within the UserAspect->isLoggedIn() method.
Therefore the user lookup fails, which causes the group restriction lookup to fail, and therefore causing the QueryBuilder to fail fetching the news record, which causes the 404.

Solution and Patch
After a search for other usages i found TypoScriptFrontendController->initUserGroups(), which is calling FrontendUserAuthentication->fetchGroupData() to initialize the groupData array before processing user groups.
When i apply the same behaviour via the following patch to the UserAspect class, my issue is resolved properly and i am able to see the news detail page with the access restricted news, as expected.

public function isLoggedIn(): bool
{
    if ($this->user instanceof FrontendUserAuthentication) {
        // PATCH BEGIN
        if (empty($this->user->groupData['uid'])) {
            $this->user->fetchGroupData();
        }
        // PATCH END
        return ($this->user->user[$this->user->userid_column ?? 'uid'] ?? 0) > 0 && !empty($this->user->groupData['uid'] ?? null);
    }
    return ($this->user->user[$this->user->userid_column ?? 'uid'] ?? 0) > 0;
}

I am unable to determine if this kind of patch is best practice or will break anything else.
Furthermore i am not able to determine any performance impacts.
It might have a small performance impact, if groupData will be empty even after fetchGroupData() has been called, because it will then call fetchGroupData() again, every time when UserAspect->isLoggedIn() is called.

#90070 might be related to this.

System Environment
  • Currently only tested with TYPO3 9.5.15
  • News in version 7.3.1 is installed
  • Properly configured site configuration

Site Configuration:

News:
  type: Extbase
  extension: News
  plugin: Pi1
  routes:
    -
      routePath: '/article/{news-title}'
      _controller: 'News::detail'
      _arguments:
        news-title: news
  defaultController: 'News::list'
  aspects:
    news-title:
      type: PersistedAliasMapper
      tableName: tx_news_domain_model_news
      routeFieldName: path_segment


Related issues 2 (0 open2 closed)

Related to TYPO3 Core - Bug #90070: isLoggedIn not set in PSR-15 MiddlewareClosed2020-01-08

Actions
Related to TYPO3 Core - Bug #91049: PageResolver has no info about feUserGroup to properly do $site->getRouter()->matchRequest which leads to 404 for records that are fe_group protectedClosed2020-04-15

Actions
Actions

Also available in: Atom PDF