Bug #97803
open
User has no page mount but gets the whole page tree
0%
Description
I created a new user and assigned a default group which assigns modules and config settings but no page in the db mounts. When I switch to the user I can see all pages in the pagetree (wrong behaviour, no page should be seen). If I assign the user or its group a page db mount only that page is shown (correct behaviour).
Updated by Hartmut Steglich over 2 years ago
had this recently also in TYPO3 >= 11.5.9
Updated by Riccardo De Contardi over 1 year ago
I have performed the following test with TYPO3 9, 10, 11, 12, 13:
Prerequisites¶
- fresh TYPO3 installation
- some pages on the pageTree, a starting home page and a couple of subpages
- an "editors" BE group
- an "editor" BE user
Test procedure¶
1. Access module > ensure that all the pages belong to the "Editors" group (owner can be your admin user)
2. [Root] > list view > edit "editors" BE Group and
2.1 Tab "Access List" > add everything
2.2 Tab "Mounts and Workspaces" > DO NOT ADD a DB Mount
2.3 Save & close
3. [Root] > list view > edit "editor" BE User and
3.1 Tab "Access List" > add everything
3.2 Tab "Mounts and Workspaces" > DO NOT ADD a DB Mount and check "Mount from groups" > DB Mount
3.3 Save & Close
- Switch to "Editor"
- Click on page module Page module
Test Results¶
| TYPO3 Version | Pagetree | Interaction with the pagetree (i.e. clicking on a page) |
|---|---|---|
| 9.5.31 | the pagetree is totally absent | no interaction is possible, an error card is shown on the right side of the interface with the text "Page tree error Got unexpected response from the server. Please check logs for details." |
| 10.4.37 | the pagetree is visible and shows the pages belonging to the group | The backend crashes with the error message: Whoops, looks like something went wrong. (1/1) #1289917924 RuntimeException You don't have access to this page in /Sites/typo3.10.test.composer.it/public/typo3/sysext/backend/Classes/Http/RouteDispatcher.php line 157 |
| 11.5.30 | the pagetree is visible and shows the pages belonging to the group | it shows an error page with the message: 503 Oops, an error occurred! You don't have access to this page |
| 12.4.4 and 13.0.0-dev | the pagetree is visible and shows the pages belonging to the group | The backend crashes with the error message: Whoops, looks like something went wrong. (1/1) #1289917924 RuntimeException You don't have access to this page in /var/www/html/vendor/typo3/cms-backend/Classes/Middleware/BackendModuleValidator.php line 184 |
Updated by Annett Jähnichen over 1 year ago
- Related to Feature #77990: Visible Access Check for BE-Users and their given DB-Mounts added
Updated by Riccardo De Contardi 5 months ago
I write here the description of #101336 ("Pages are shown in page tree even if (non-admin) BE user has no DB mounts and "Mount from groups" "DB Mounts" is off") to keep track of it
This could also be a privacy problem because user sees pages in page tree which he has no business seeing (which might be access protected).
He can also sees
- which user is currently editing the page (see first screenshot)I could reproduce it in a way where the user sees all pages in entire installation (even though they are not even in the DB mount in the group).
Is only reproducable
- if the user does not have any DB mounts at all
- OR has a DB mount but no permission for the pages.This could happen by wrong page permissions or misconfiguration of BE user.
Reproduce
create user with no DB mount and set "Mount from groups" | "DB mounts" to off, assign this user to a group
add a DB mount in the group
switch to user
switch to page module (or list module)
Result
The pages which are available for the group will now be displayed in the pagetree but the user has no access to them. If he clicks on a page, exception is thrown: "You don't have access to this page".Also: context menu | "Info" is displayed, but this results in error message: "Sorry, you didn't have proper permissions to perform this change."
Expected behaviour
- If the user does not have access to the pages, they should not be displayed in the page tree and if he has access to no pages, no pages should be displayed in page tree
- in one case, an exception is thrown, in the other (Context "Info") a modal dialog is displayed with error. I would always expect the error message, not the exceptionSetupuser1:
has mostly default permissions, no DB mounts or any modifications of permissions, except:
has group group1
"Mounts and Workspaces" | ""Mount from groups" | "DB Mounts" is off
group1
has DB mount (page id 1)
has access to all modules: "Access Lists" | "Modules" : all selected
has (read) access to all tables: "Access Lists" | "Tables (listing)" : all selected
page tree (page id 1):
"everybody" has all permisions (set in "Access" module)
Versions
Reproduced withv11 ... latest main
Updated by Riccardo De Contardi 5 months ago
- Related to Bug #101336: Pages are shown in page tree even if (non-admin) BE user has no DB mounts and "Mount from groups" "DB Mounts" is off added