Bug #23412
Updated by Mathias Schreiber over 9 years ago
Hi
we have done quite some debugging concerning the adminPanel configuration and found some bugs. a patch is supplied.
thanks for your answer.
Mike
part 1: analysis
On our website, we use some front-end preview and edit features offered by typo3.
We do not want the adminPanel to show, therefore we use some TSconfig in the back end user group to configure the adminPanel settings.
In an attempt to clean up our TS, we discovered some weird stuff regarding the configuration of the adminPanel.
here is some of our original TS:
admPanel {
hide = 1
enable.preview = 1
override.preview = 1
override.preview.showHiddenPages = 0
module.preview.showHiddenPages = 0
override.preview.showHiddenRecords = 1
module.preview.showHiddenRecords = 1
override.preview.simulateUserGroup = 7
}
it has the following effects:
- adminPanel is hidden -> ok
- adminPanel preview is activated -> ok
- hidden pages are shown -> not ok!
- hidden records are shown -> ok
- simulated user group: 7 -> ok
- simulated timestamp: 1 -> not ok!
by fiddling with these values, we discovered the following:
- the module.preview.* settings are dead
- the override.preview.* settings are all ignored as long as we used "override.preview = 1"
we had no clue, what "override.preview = 1" was supposed to mean.
when we removed it, we saw the following:
- the preview was not working, any more
- the override.preview.* settings had no effect
it was time to look at the source:
we discovered the method tslib_AdminPanel::extGetFeAdminValue():
- it seems to supply most preview/feedit functions with the current values.
- it contains many hard-coded exceptions (mainly regarding the edit module)
- the override settings can only override if they have a value that evaluates to true! as a consequence, "override.preview.showHiddenPages = 0" will be ignored.
- "override.preview = 1" is interpreted as a default setting for all override.preview.* settings! that is the reason why our preview simulated a timestamp of "1".
- when "override.preview = 1" is not set in the TSconfig and the adminPanel is not shown and opened, the preview is not shown. why?
unfortunately, the edit module doesn't use this function:
tx_feedit_editpanel::editPanelLinkWrap_doWrap gets its values directly from the user submitted values of the adminPanel and is therefore not configurable by TSconfig.
part 2: conclusion
we identified the following bugs:
- "override.preview = 1" being required to activate the preview if the adminPanel is hidden. (*)
- override.* settings can only override if they evaluate to true (*)
- some admPanel modules getting their values by circumventing tslib_AdminPanel::extGetFeAdminValue(). this applies to the settings: override.edit.editFormsOnPage and override.edit.editNoPopup. they simply have no effect!
- back-end users were able to see content that they had no front-end or back-end access to, just by simulating a user group in the adminPanel or by supplying an url parameter like:
&TSFE_ADMIN_PANEL%5Bpreview_simulateUserGroup%5D=1,2,3,4,5,6,7
- ADMCMD_simUser only uses the first group id if a list is given. p.e. ADMCMD_simUser=1,2 ignores group 2!
we identified the following problems:
- admPanel TS documentation not being in sync with the actual code.
- two different flavors of preview. one by selecting the view action in the context menu of a page and the preview function of the Web > View module. the latter uses the ADMCMD_simUser and ADMCMD_simTime url parameters.
we have supplied a patch that addresses the above bugs marked by a star (*)
after applying the patch, we are able to use the following TSconfig:
admPanel {
// don't show adminPanel
hide = 1
// hide all adminPanel modules by default
enable.all= 0
// activate preview module
enable.preview = 1
// don't show hidden pages in nav menus
override.preview.showHiddenPages = 0
// show hidden content elements
override.preview.showHiddenRecords = 1
// simulate user group
override.preview.simulateUserGroup = 7
}
the override.preview.* settings are now working as expected, as our preview now shows hidden records but no hidden pages.
(issue imported from #M15511)