TYPO3 Core

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/65011

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/65011

Why is it removed?

Bernhard Eckl wrote in #note-7:

Why is it removed?

Hey Bernhard,

this feature was inconsistently implemented:

When considered as a security feature, this feature shows false security (on a per-user basis) as the user can fake the HTTP_HOST header to circumvent this option easily. Thus: it's not a security feature.

If used on a per-group basis (only attach a group when the user logs in via domain XYZ), it is impossible to fetch allowed groups for a specific user (e.g. to send out notifications for a usergroup in workspaces).

On a technical level: When using the TSconfig option, this is an architectural flaw: When a group should be added via TSconfig, the groups TSconfig option can never be applied, as the TSconfig has to be evaluated BEFORE the group can be added.

All of these arguments led me to decide to remove this feature in favor of consistency in our code base of TYPO3 Core. Depending on the use-case, this feature can be reimplemented for a specific use-case again as an extension.

Hope that helps, if you have further questions, feel free to reach out to me.

Thank you Benni for your explanation.

So currently the only way to let some users not login is to use different sysfolders for the fe_users, right? Could get a little difficult for me.
I think it would be great if felogin would have an option to define some usergroups the user must belong to in order to get logged in.