Bug #92288

Public access can't be denied in GeneratePublicUrlForResourceEvent

Added by Georg Tiefenbrunn 15 days ago.

Status:
New
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2020-09-11
Due date:
% Done:

0%

TYPO3 Version:
10
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

https://docs.typo3.org/m/typo3/reference-coreapi/10.4/en-us/ApiOverview/Hooks/Events/Core/Resource/GeneratePublicUrlForResourceEvent.html

Method: setPublicUrl(?string $publicUrl)
Description: Sets new public URL of resource - or removes public url (by setting null), disallowing public access.

Calling setPublicUrl(null) in an event listener does not disallow public access.

Perhaps GeneratePublicUrlForResourceEvent should implement StoppableEventInterface so we can force publicUrl = null.

As a workaround publicUrl can be set to an empty string (setPublicUrl('')). But that causes false URI generation using core ViewHelpers (e.g. f:uri.image) with absolute="true".

Also available in: Atom PDF