[TYPO3-dev] TCE Datahandler admin-flag not working correctly

Jigal van Hemert jigal.van.hemert at typo3.org
Wed Jan 6 14:54:45 CET 2016 

Hi,

On 05/01/2016 22:09, Jan Bartels wrote:
> I've just debugged the SysAction for adding/editing BE-Users. See
> https://forge.typo3.org/issues/72391 for details.
>
> I think that the TCE-DataHandler is not working correctly in this
> use-case. The method ActionTask::saveNewBackendUser() calls the
> TCE-DataHandler as follows:
>
> // Save/update user by using TCEmain
> if (is_array($data)) {
>      $tce =
> GeneralUtility::makeInstance('TYPO3\\CMS\\Core\\DataHandling\\DataHandler');
>
>      $tce->stripslashes_values = 0;
>      $tce->start($data, array(), $GLOBALS['BE_USER']);
>      $tce->admin = 1;
>      $tce->process_datamap();
>
> The admin-flag should enable TCEmain to set all DB-fields without any
> restrictions, but DataHandler::fillInFieldArray() ignores the admin-flag
> when checking for disabled fields:
>
> foreach ($incomingFieldArray as $field => $fieldValue) {
>      if (!in_array(($table . '-' . $field), $this->exclude_array) &&
> !$this->data_disableFields[$table][$id][$field] ) {
>
> I'd suggest to add an extra condition "|| $this->admin" to this
> if-statement to ignore any disabled fields that are restricting the
> original calling BE-user.

$this->exclude_array is set to an empty array if $this->admin evaluates 
to true. $this->data_disableFields is an empty array if you didn't fill 
it yourself.

The problem is that you set $tce->admin, which is actually an internal 
variable (but unfortunately not labelled as such because it originates 
from a long time ago).
Inside $tce->start() admin is set to the admin status of the BE user and 
if admin is set, exclude_array is set to an empty array (otherwise to 
the generated exclude list).

A possible workaround could be to copy the global BE user, set the admin 
property in that user and pass it as BE user to start():

$tce = 
GeneralUtility::makeInstance('TYPO3\\CMS\\Core\\DataHandling\\DataHandler'); 

$myBeUser =  $GLOBALS['BE_USER'];
$myBeUser->user['admin'] = 1;
$tce->stripslashes_values = 0;
$tce->start($data, array(), $myBeUser);
$tce->process_datamap();

Now you've given admin permissions to your BE user! [!!! danger zone !!!]

I'm not sure in what context your save new BE user action is used, but 
in general it's best to give specific rights to users and if your code 
needs to give extra rights, make that as specific as possible; admin 
rights can easily be an extra security risk if there some issues in your 
code.

-- 
Jigal van Hemert
TYPO3 CMS Active Contributor

TYPO3 .... inspiring people to share!
Get involved: typo3.org

More information about the TYPO3-dev mailing list