Project

General

Profile

Actions

Bug #93049

closed

Backend user must have write privileges for exclude field be_users.password or password update is silently rejected

Added by Claus Due almost 4 years ago. Updated 5 months ago.

Status:
Rejected
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2020-12-10
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
9
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Not sure if this is a bug or by design. If by design, a FlashMessage would be nice when a user attempts to change their password without the necessary access. Currently, an OK FlashMessage is dispatched which says "Password updated" even if the password update is ignored.

When a non-admin user uses "User Settings" to update their password, the update is silently rejected if the user(-group) does not have edit access for the specific field be_users.password, since this field is filtered out in DataHandler when processing exclude fields.

Observed on 9.5 but most likely behaves the same on all versions.

Actions #1

Updated by Francois Suter almost 4 years ago

If I assume that this report is related to https://github.com/koninklijke-collective/my_user_management/issues/54, then this is not a core bug. It is due to extension "my_user_management" making all fields of table "be_users" excluded.

Actions #2

Updated by Riccardo De Contardi over 3 years ago

I tend to agree with Francois Suter, as far as I can see, the ACL of a BE usergroup on TYPO3 does not include the be_users table, so using TYPO3 alone an admin cannot grant grant or revoke privileges of a BE usergroup on the be_user table.

Is there something I miss?

Actions #3

Updated by Georg Ringer 5 months ago

  • Status changed from New to Rejected

closing issue as lack of feedback and seems not to be a core issue. feel free to reopen a new issue if still relevant

Actions

Also available in: Atom PDF