Bug #91837

Hardcoded fe_user uid 1337 in initializeFrontendPreview() in PreviewModule

Added by Oliver Schmidt 15 days ago.

Status:
New
Priority:
Should have
Assignee:
-
Category:
AdminPanel
Target version:
-
Start date:
2020-07-22
Due date:
% Done:

0%

TYPO3 Version:
9
PHP Version:
7.4
Tags:
1337, PreviewModule, initializeFrontendPreview
Complexity:
Is Regression:
Sprint Focus:

Description

Hello everyone,

I found out that TYPO3 since version 9.5.15 uses a hardcoded fe_user uid when using the AdminPanel and simulating a user group. Its value is 1337 and it's defined in initializeFrontendPreview() in TYPO3\CMS\Adminpanel\Modules\PreviewModule on line 202 (v. 9.5.15) / 203 (master).

In our system we have a frontend user with this uid. Before rendering, some user information is queried in the database with that uid. Since then, we have had the problem that our editors are able to see information from this user and make settings on his behalf.

How should that problem be fixed? Is a hardcoded uid really needed? Is it possible to distinguish between the faked user and the real one, without querying them?

Kind regards
Oliver

Also available in: Atom PDF