Bug #23412

Updated by Mathias Schreiber over 7 years ago

Hi 

 we have done quite some debugging concerning the adminPanel configuration and found some bugs. a patch is supplied. 

 thanks for your answer. 
 Mike 


 part 1: analysis 

 On our website, we use some front-end preview and edit features offered by typo3.  

 We do not want the adminPanel to show, therefore we use some TSconfig in the back end user group to configure the adminPanel settings. 

 In an attempt to clean up our TS, we discovered some weird stuff regarding the configuration of the adminPanel. 

 here is some of our original TS: 

 admPanel { 
	 hide = 1 

	 enable.preview = 1 
	 override.preview = 1 

	 override.preview.showHiddenPages = 0 
	 module.preview.showHiddenPages = 0 
	 override.preview.showHiddenRecords = 1 
	 module.preview.showHiddenRecords = 1 
	 override.preview.simulateUserGroup = 7 
 }  

 it has the following effects: 
 - adminPanel is hidden -> ok 
 - adminPanel preview is activated -> ok 
 - hidden pages are shown -> not ok! 
 - hidden records are shown -> ok 
 - simulated user group: 7 -> ok 
 - simulated timestamp: 1 -> not ok! 

 by fiddling with these values, we discovered the following: 
 - the module.preview.* settings are dead 
 - the override.preview.* settings are all ignored as long as we used "override.preview = 1" 

 we had no clue, what "override.preview = 1" was supposed to mean. 

 when we removed it, we saw the following: 
 - the preview was not working, any more 
 - the override.preview.* settings had no effect 

 it was time to look at the source: 

 we discovered the method tslib_AdminPanel::extGetFeAdminValue(): 
 - it seems to supply most preview/feedit functions with the current values.  
 - it contains many hard-coded exceptions (mainly regarding the edit module) 
 - the override settings can only override if they have a value that evaluates to true! as a consequence, "override.preview.showHiddenPages = 0" will be ignored. 
 - "override.preview = 1" is interpreted as a default setting for all override.preview.* settings! that is the reason why our preview simulated a timestamp of "1". 
 - when "override.preview = 1" is not set in the TSconfig and the adminPanel is not shown and opened, the preview is not shown. why? 

 unfortunately, the edit module doesn't use this function:  
 tx_feedit_editpanel::editPanelLinkWrap_doWrap gets its values directly from the user submitted values of the adminPanel and is therefore not configurable by TSconfig. 


 part 2: conclusion 

 we identified the following bugs: 
 - "override.preview = 1" being required to activate the preview if the adminPanel is hidden. (*) 
 - override.* settings can only override if they evaluate to true (*) 
 - some admPanel modules getting their values by circumventing tslib_AdminPanel::extGetFeAdminValue(). this applies to the settings: override.edit.editFormsOnPage and override.edit.editNoPopup. they simply have no effect! 
 - back-end users were able to see content that they had no front-end or back-end access to, just by simulating a user group in the adminPanel or by supplying an url parameter like: 
 &TSFE_ADMIN_PANEL%5Bpreview_simulateUserGroup%5D=1,2,3,4,5,6,7 
 - ADMCMD_simUser only uses the first group id if a list is given. p.e. ADMCMD_simUser=1,2 ignores group 2! 

 we identified the following problems: 
 - admPanel TS documentation not being in sync with the actual code. 
 - two different flavors of preview. one by selecting the view action in the context menu of a page and the preview function of the Web > View module. the latter uses the ADMCMD_simUser and ADMCMD_simTime url parameters. 

 we have supplied a patch that addresses the above bugs marked by a star (*) 

 after applying the patch, we are able to use the following TSconfig: 

 admPanel { 
   // don't show adminPanel 
   hide = 1 

   // hide all adminPanel modules by default 
   enable.all= 0 

   // activate preview module 
   enable.preview = 1 

   // don't show hidden pages in nav menus 
   override.preview.showHiddenPages = 0 

   // show hidden content elements 
   override.preview.showHiddenRecords = 1 

   // simulate user group 
   override.preview.simulateUserGroup = 7 
 } 

 the override.preview.* settings are now working as expected, as our preview now shows hidden records but no hidden pages. 






 






 (issue imported from #M15511)

Back