TYPO3 Core

Hello everyone,

I found out that TYPO3 since version 9.5.15 uses a hardcoded fe_user uid when using the AdminPanel and simulating a user group. Its value is 1337 and it's defined in initializeFrontendPreview() in TYPO3\CMS\Adminpanel\Modules\PreviewModule on line 202 (v. 9.5.15) / 203 (master).

In our system we have a frontend user with this uid. Before rendering, some user information is queried in the database with that uid. Since then, we have had the problem that our editors are able to see information from this user and make settings on his behalf.

How should that problem be fixed? Is a hardcoded uid really needed? Is it possible to distinguish between the faked user and the real one, without querying them?

Kind regards
Oliver