Project

General

Profile

Bug #90989

Updated by Reiner Kempkes over 4 years ago

*Preparation* 
 News extension and Frontend user authentication is already set up and running properly. 
 Create a frontend user and a news record, User and news record must be assigned to the same frontend group.  
 As alternative use "Show at any login" (-2) as access restriction for the news record. 

 Log in via frontend authentication. 
 Access a news detail page containing an access restricted news record. 

 *Current Behaviour* 
 A 404 error is thrown. 

 *Expected Behaviour* 
 The news detail page with the given record is shown. 

 *Debugging* 
 I traced the issue down to the UserAspect class, which is not properly initialized. 

 When <code>PersistedAliasMapper->findByRouteFieldValue()</code> is processing the news record lookup via <code>QueryBuilder</code>, which uses a <code>FrontendGroupRestriction</code>. There the 'frontend.user' aspect is utilized to determine valid frontend groups. Therefore <code>UserAspect->isLoggedIn()</code> is called, but the second condition of the first return statement fails, even when the user is logged in properly. This is caused due to an empty <code>$this->user->groupData['uid']</code> array within the <code>UserAspect->isLoggedIn()</code> method. 
 Therefore the user lookup fails, which causes the group restriction lookup to fail, and therefore causing the <code>QueryBuilder</code> to fail fetching the news record, which causes the 404. 

 *Solution and Patch* 
 After a search for other usages i found <code>TypoScriptFrontendController->initUserGroups()</code>, which is are calling <code>FrontendUserAuthentication->fetchGroupData()</code> to initialize the groupData array before processing user groups. 
 When i apply the same behaviour via the following patch to the <code>UserAspect</code> class, my issue is resolved properly and i am able to see the news detail page with the access restricted news, as expected. 

 <pre><code class="php"> 
 public function isLoggedIn(): bool 
 { 
     if ($this->user instanceof FrontendUserAuthentication) { 
         // PATCH BEGIN 
         if (empty($this->user->groupData['uid'])) { 
             $this->user->fetchGroupData(); 
         } 
         // PATCH END 
         return ($this->user->user[$this->user->userid_column ?? 'uid'] ?? 0) > 0 && !empty($this->user->groupData['uid'] ?? null); 
     } 
     return ($this->user->user[$this->user->userid_column ?? 'uid'] ?? 0) > 0; 
 } 
 </code></pre> 

 I am unable to determine if this kind of patch is best practice or will break anything else. 
 Furthermore i am not able to determine any performance impacts.  
 It might have a small performance impact, if <code>groupData</code> will be empty even after <code>fetchGroupData()</code> has been called, because it will then call <code>fetchGroupData()</code> again, every time when <code>UserAspect->isLoggedIn()</code> is called.  

 #90070 might be related to this. 

 *System Environment* 
 * Currently only tested with TYPO3 9.5.15 
 * News in version 7.3.1 is installed 
 * Properly configured site configuration 

 Site Configuration: 
 <pre><code class="yaml"> 
 News: 
   type: Extbase 
   extension: News 
   plugin: Pi1 
   routes: 
     - 
       routePath: '/article/{news-title}' 
       _controller: 'News::detail' 
       _arguments: 
         news-title: news 
   defaultController: 'News::list' 
   aspects: 
     news-title: 
       type: PersistedAliasMapper 
       tableName: tx_news_domain_model_news 
       routeFieldName: path_segment 
 </code></pre> 

Back