[TYPO3-dev] TCE Datahandler admin-flag not working correctly
Jigal van Hemert
jigal.van.hemert at typo3.org
Wed Jan 6 14:54:45 CET 2016
Hi,
On 05/01/2016 22:09, Jan Bartels wrote:
> I've just debugged the SysAction for adding/editing BE-Users. See
> https://forge.typo3.org/issues/72391 for details.
>
> I think that the TCE-DataHandler is not working correctly in this
> use-case. The method ActionTask::saveNewBackendUser() calls the
> TCE-DataHandler as follows:
>
> // Save/update user by using TCEmain
> if (is_array($data)) {
> $tce =
> GeneralUtility::makeInstance('TYPO3\\CMS\\Core\\DataHandling\\DataHandler');
>
> $tce->stripslashes_values = 0;
> $tce->start($data, array(), $GLOBALS['BE_USER']);
> $tce->admin = 1;
> $tce->process_datamap();
>
> The admin-flag should enable TCEmain to set all DB-fields without any
> restrictions, but DataHandler::fillInFieldArray() ignores the admin-flag
> when checking for disabled fields:
>
> foreach ($incomingFieldArray as $field => $fieldValue) {
> if (!in_array(($table . '-' . $field), $this->exclude_array) &&
> !$this->data_disableFields[$table][$id][$field] ) {
>
> I'd suggest to add an extra condition "|| $this->admin" to this
> if-statement to ignore any disabled fields that are restricting the
> original calling BE-user.
$this->exclude_array is set to an empty array if $this->admin evaluates
to true. $this->data_disableFields is an empty array if you didn't fill
it yourself.
The problem is that you set $tce->admin, which is actually an internal
variable (but unfortunately not labelled as such because it originates
from a long time ago).
Inside $tce->start() admin is set to the admin status of the BE user and
if admin is set, exclude_array is set to an empty array (otherwise to
the generated exclude list).
A possible workaround could be to copy the global BE user, set the admin
property in that user and pass it as BE user to start():
$tce =
GeneralUtility::makeInstance('TYPO3\\CMS\\Core\\DataHandling\\DataHandler');
$myBeUser = $GLOBALS['BE_USER'];
$myBeUser->user['admin'] = 1;
$tce->stripslashes_values = 0;
$tce->start($data, array(), $myBeUser);
$tce->process_datamap();
Now you've given admin permissions to your BE user! [!!! danger zone !!!]
I'm not sure in what context your save new BE user action is used, but
in general it's best to give specific rights to users and if your code
needs to give extra rights, make that as specific as possible; admin
rights can easily be an extra security risk if there some issues in your
code.
--
Jigal van Hemert
TYPO3 CMS Active Contributor
TYPO3 .... inspiring people to share!
Get involved: typo3.org
More information about the TYPO3-dev
mailing list