Bug #90989
Updated by Reiner Kempkes over 4 years ago
*Preparation* News extension and Frontend user authentication is already set up and running properly (see System Environment section below). properly. Create a frontend user and a news record, User and news record must be assigned to the same frontend group. As alternative use "Show at any login" (-2) as access restriction for the news record. Log in via frontend authentication. Access a news detail page containing an access restricted news record. *Current Behaviour* A 404 error is thrown. *Expected Behaviour* The news detail page with the given record is shown. *Debugging* I traced the issue down to the UserAspect class, which is not properly initialized. When <code>PersistedAliasMapper->findByRouteFieldValue()</code> is processing the news record lookup via <code>QueryBuilder</code>, which uses a <code>FrontendGroupRestriction</code>. There the 'frontend.user' aspect is utilized to determine valid frontend groups. Therefore <code>UserAspect->isLoggedIn()</code> is called, but the second condition of the first return statement fails, even when the user is logged in properly. This is caused due to an empty <code>$this->user->groupData['uid']</code> array within the <code>UserAspect->isLoggedIn()</code> method. Therefore the user lookup fails, which causes the group restriction lookup to fail, and therefore causing the <code>QueryBuilder</code> to fail fetching the news record, which causes the 404. *Solution and Patch* After a search for other usages i found <code>TypoScriptFrontendController->initUserGroups()</code>, which is calling <code>FrontendUserAuthentication->fetchGroupData()</code> to initialize the groupData array before processing user groups. When i apply the same behaviour via the following patch to the <code>UserAspect</code> class, my issue is resolved properly and i am able to see the news detail page with the access restricted news, as expected. <pre><code class="php"> public function isLoggedIn(): bool { if ($this->user instanceof FrontendUserAuthentication) { // PATCH BEGIN if (empty($this->user->groupData['uid'])) { $this->user->fetchGroupData(); } // PATCH END return ($this->user->user[$this->user->userid_column ?? 'uid'] ?? 0) > 0 && !empty($this->user->groupData['uid'] ?? null); } return ($this->user->user[$this->user->userid_column ?? 'uid'] ?? 0) > 0; } </code></pre> I am unable to determine if this kind of patch is best practice or will break anything else. Furthermore i am not able to determine any performance impacts. It might have a small performance impact, if <code>groupData</code> will be empty even after <code>fetchGroupData()</code> has been called, because it will then call <code>fetchGroupData()</code> again, every time when <code>UserAspect->isLoggedIn()</code> is called. #90070 might be related to this. *System Environment* * Currently only tested with TYPO3 9.5.15 * News in version 7.3.1 is installed * Properly configured site configuration Site Configuration: <pre><code class="yaml"> News: type: Extbase extension: News plugin: Pi1 routes: - routePath: '/article/{news-title}' _controller: 'News::detail' _arguments: news-title: news defaultController: 'News::list' aspects: news-title: type: PersistedAliasMapper tableName: tx_news_domain_model_news routeFieldName: path_segment </code></pre>