Bug #90989
closed
Lookup of access restricted records throws 404
100%
Description
Preparation
News extension and Frontend user authentication is already set up and running properly (see System Environment section below).
Create a frontend user and a news record, User and news record must be assigned to the same frontend group.
As alternative use "Show at any login" (-2) as access restriction for the news record.
Log in via frontend authentication.
Access a news detail page containing an access restricted news record.
Current Behaviour
A 404 error is thrown.
Expected Behaviour
The news detail page with the given record is shown.
Debugging
I traced the issue down to the UserAspect class, which is not properly initialized.
PersistedAliasMapper->findByRouteFieldValue() is processing the news record lookup via QueryBuilder, which uses a FrontendGroupRestriction. There the 'frontend.user' aspect is utilized to determine valid frontend groups. Therefore UserAspect->isLoggedIn() is called, but the second condition of the first return statement fails, even when the user is logged in properly. This is caused due to an empty $this->user->groupData['uid'] array within the UserAspect->isLoggedIn() method.Therefore the user lookup fails, which causes the group restriction lookup to fail, and therefore causing the
QueryBuilder to fail fetching the news record, which causes the 404.
Solution and Patch
After a search for other usages i found TypoScriptFrontendController->initUserGroups(), which is calling FrontendUserAuthentication->fetchGroupData() to initialize the groupData array before processing user groups.
When i apply the same behaviour via the following patch to the UserAspect class, my issue is resolved properly and i am able to see the news detail page with the access restricted news, as expected.
public function isLoggedIn(): bool
{
if ($this->user instanceof FrontendUserAuthentication) {
// PATCH BEGIN
if (empty($this->user->groupData['uid'])) {
$this->user->fetchGroupData();
}
// PATCH END
return ($this->user->user[$this->user->userid_column ?? 'uid'] ?? 0) > 0 && !empty($this->user->groupData['uid'] ?? null);
}
return ($this->user->user[$this->user->userid_column ?? 'uid'] ?? 0) > 0;
}
I am unable to determine if this kind of patch is best practice or will break anything else.
Furthermore i am not able to determine any performance impacts.
It might have a small performance impact, if groupData will be empty even after fetchGroupData() has been called, because it will then call fetchGroupData() again, every time when UserAspect->isLoggedIn() is called.
#90070 might be related to this.
System Environment- Currently only tested with TYPO3 9.5.15
- News in version 7.3.1 is installed
- Properly configured site configuration
Site Configuration:
News:
type: Extbase
extension: News
plugin: Pi1
routes:
-
routePath: '/article/{news-title}'
_controller: 'News::detail'
_arguments:
news-title: news
defaultController: 'News::list'
aspects:
news-title:
type: PersistedAliasMapper
tableName: tx_news_domain_model_news
routeFieldName: path_segment
Updated by 
Updated by 
Updated by 
Updated by 
Updated by