Bug #93049

Backend user must have write privileges for exclude field be_users.password or password update is silently rejected

Added by Claus Due 10 months ago. Updated 6 months ago.

Should have
Target version:
Start date:
Due date:
% Done:


Estimated time:
TYPO3 Version:
PHP Version:
Is Regression:
Sprint Focus:


Not sure if this is a bug or by design. If by design, a FlashMessage would be nice when a user attempts to change their password without the necessary access. Currently, an OK FlashMessage is dispatched which says "Password updated" even if the password update is ignored.

When a non-admin user uses "User Settings" to update their password, the update is silently rejected if the user(-group) does not have edit access for the specific field be_users.password, since this field is filtered out in DataHandler when processing exclude fields.

Observed on 9.5 but most likely behaves the same on all versions.


Updated by Francois Suter 9 months ago

If I assume that this report is related to https://github.com/koninklijke-collective/my_user_management/issues/54, then this is not a core bug. It is due to extension "my_user_management" making all fields of table "be_users" excluded.


Updated by Riccardo De Contardi 6 months ago

I tend to agree with Francois Suter, as far as I can see, the ACL of a BE usergroup on TYPO3 does not include the be_users table, so using TYPO3 alone an admin cannot grant grant or revoke privileges of a BE usergroup on the be_user table.

Is there something I miss?

Also available in: Atom PDF