Bug #93049
closed
Backend user must have write privileges for exclude field be_users.password or password update is silently rejected
0%
Description
Not sure if this is a bug or by design. If by design, a FlashMessage would be nice when a user attempts to change their password without the necessary access. Currently, an OK FlashMessage is dispatched which says "Password updated" even if the password update is ignored.
When a non-admin user uses "User Settings" to update their password, the update is silently rejected if the user(-group) does not have edit access for the specific field be_users.password, since this field is filtered out in DataHandler when processing exclude fields.
Observed on 9.5 but most likely behaves the same on all versions.
Updated by Francois Suter almost 4 years ago
If I assume that this report is related to https://github.com/koninklijke-collective/my_user_management/issues/54, then this is not a core bug. It is due to extension "my_user_management" making all fields of table "be_users" excluded.
Updated by Riccardo De Contardi over 3 years ago
I tend to agree with Francois Suter, as far as I can see, the ACL of a BE usergroup on TYPO3 does not include the be_users table, so using TYPO3 alone an admin cannot grant grant or revoke privileges of a BE usergroup on the be_user table.
Is there something I miss?
Updated by Georg Ringer 5 months ago
- Status changed from New to Rejected
closing issue as lack of feedback and seems not to be a core issue. feel free to reopen a new issue if still relevant