[TYPO3-core] RFC: #11896: User Setup miss save of be_users fields and miss handling of default value
Oliver Hader
oliver at typo3.org
Sat Sep 19 16:39:38 CEST 2009
Hi Steffen,
Steffen Kamper schrieb:
> Hi,
>
> here comes v2 which also use a hook for access. See OpenID (#10585_v6)
> which use the access check for render the OpenID identifier field with
> access check (not only admin).
> Further the access check is done while writing the be_users fields, so
> there is no way to tamper the POST data.
>
> Best way to test is this patch and then 10585_v6 which uses it.
I changes some minor issues:
* added "admin" to the not-allowed fields - however that was not a
problem but any extension could have enabled any user to enable the
admin status
* added type-hint at checkAccess() method and some PHPdoc comments
+1 by reading and testing
olly
--
Oliver Hader
TYPO3 Release Manager 4.3
More information about the TYPO3-team-core
mailing list