[TYPO3-core] RFC: #11896: User Setup miss save of be_users fields and miss handling of default value
Steffen Gebert
steffen at steffen-gebert.de
Wed Sep 16 14:12:13 CEST 2009
On Sun, 13 Sep 2009 14:06:00 +0200, Steffen Gebert
<steffen at steffen-gebert.de> wrote:
>> There is the option table="be_users" which is used for email, password
>> and realName. But if you want to store other fields or new fields
>> extended by extension, the save handler doesn't save them.
>> (The problem occured when openID tries to add the identifier field in
>> user setup)
>>
>> Also there is missing a default value in settinfgs as done in TCA for
>> new fields doesn't have a default in BE_USER->uc
>>
>> Attached patch solves this problem and save all fields in be_user which
>> are in the configuration.
> This is needed for #10585: Enable BE users to change their OpenID
After discussion with Steffen, he asked me to explain one problem
regarding access to change records:
#10585 enables BE user to change their openid. Admins can define access to
do this by BE_GROUP.
So the input field in setup module is only printed, if user has right to
change his openid. No access -> no input field.
Nevertheless it is possible (e.g. using FF extension tamper data) to
modify the POST request and add a value for
data[be_users][tx_openid_openid]. This is saved without any access checks
(as storeIncomingData doesn't check)
So he decided to provide an overworked patch with possibility to define an
access check userFunc this evening. In this userFunc we could check,
weather user is allowed to change the specific field (by any condition you
can imagine..)
Hint: There's possibility to change any field in be_users, but only 'user'
type fields.
It's only a problem, when a field in setup module as access rights other
than admin-only.
Steffen
More information about the TYPO3-team-core
mailing list