Bug #93049

Backend user must have write privileges for exclude field be_users.password or password update is silently rejected

Added by Claus Due 10 months ago. Updated 6 months ago.

Status:
New
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2020-12-10
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
9
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Not sure if this is a bug or by design. If by design, a FlashMessage would be nice when a user attempts to change their password without the necessary access. Currently, an OK FlashMessage is dispatched which says "Password updated" even if the password update is ignored.

When a non-admin user uses "User Settings" to update their password, the update is silently rejected if the user(-group) does not have edit access for the specific field be_users.password, since this field is filtered out in DataHandler when processing exclude fields.

Observed on 9.5 but most likely behaves the same on all versions.

#1

Updated by Francois Suter 9 months ago

If I assume that this report is related to https://github.com/koninklijke-collective/my_user_management/issues/54, then this is not a core bug. It is due to extension "my_user_management" making all fields of table "be_users" excluded.

#2

Updated by Riccardo De Contardi 6 months ago

I tend to agree with Francois Suter, as far as I can see, the ACL of a BE usergroup on TYPO3 does not include the be_users table, so using TYPO3 alone an admin cannot grant grant or revoke privileges of a BE usergroup on the be_user table.

Is there something I miss?

Also available in: Atom PDF