Task #91782
closedRemove lockToDomain feature
100%
Updated by Gerrit Code Review about 4 years ago
- Status changed from New to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/65011
Updated by Gerrit Code Review about 4 years ago
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/65011
Updated by Gerrit Code Review about 4 years ago
Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/65011
Updated by Benni Mack about 4 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 0ce30f0afe9f73658d9b2546970c299eecdbe5ff.
Updated by Georg Ringer about 3 years ago
- Related to Feature #94657: lockToDomain for multiple domains added
Updated by Benni Mack about 3 years ago
Bernhard Eckl wrote in #note-7:
Why is it removed?
Hey Bernhard,
this feature was inconsistently implemented:
When considered as a security feature, this feature shows false security (on a per-user basis) as the user can fake the HTTP_HOST header to circumvent this option easily. Thus: it's not a security feature.
If used on a per-group basis (only attach a group when the user logs in via domain XYZ), it is impossible to fetch allowed groups for a specific user (e.g. to send out notifications for a usergroup in workspaces).
On a technical level: When using the TSconfig option, this is an architectural flaw: When a group should be added via TSconfig, the groups TSconfig option can never be applied, as the TSconfig has to be evaluated BEFORE the group can be added.
All of these arguments led me to decide to remove this feature in favor of consistency in our code base of TYPO3 Core. Depending on the use-case, this feature can be reimplemented for a specific use-case again as an extension.
Hope that helps, if you have further questions, feel free to reach out to me.
Updated by Bernhard Eckl almost 3 years ago
Thank you Benni for your explanation.
So currently the only way to let some users not login is to use different sysfolders for the fe_users, right? Could get a little difficult for me.
I think it would be great if felogin would have an option to define some usergroups the user must belong to in order to get logged in.