Bug #91837
closed
Hardcoded fe_user uid 1337 in initializeFrontendPreview() in PreviewModule
100%
Description
Hello everyone,
I found out that TYPO3 since version 9.5.15 uses a hardcoded fe_user uid when using the AdminPanel and simulating a user group. Its value is 1337 and it's defined in initializeFrontendPreview() in TYPO3\CMS\Adminpanel\Modules\PreviewModule on line 202 (v. 9.5.15) / 203 (master).
In our system we have a frontend user with this uid. Before rendering, some user information is queried in the database with that uid. Since then, we have had the problem that our editors are able to see information from this user and make settings on his behalf.
How should that problem be fixed? Is a hardcoded uid really needed? Is it possible to distinguish between the faked user and the real one, without querying them?
Kind regards
Oliver
Updated by Gerrit Code Review over 4 years ago
- Status changed from New to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/65215
Updated by Gerrit Code Review over 4 years ago
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/65215
Updated by Gerrit Code Review over 4 years ago
Patch set 1 for branch 10.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/65195
Updated by Gerrit Code Review over 4 years ago
Patch set 1 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/65219
Updated by Benni Mack over 4 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset bb9eddcaed3d9504bb3bc241be256a8219979960.