[TYPO3-core] RFC: #17173: CSRF Bugfix: In the user settings module, saving form data is not possible if simulate user option is used.
Jeff Segars
jsegars at alumni.rice.edu
Fri Jan 21 00:48:16 CET 2011
On 1/20/11 3:50 PM, Helmut Hummel wrote:
> Hi,
>
> This is a SVN patch request.
>
> Type: Bugfix
> Bugtracker reference: http://bugs.typo3.org/view.php?id=17173
> Branch: trunk
>
> Problem:
> Form validation fails in the user setup module, if the "simulate user"
> is used.
>
> This happens because the form protection framework does access
> $GLOBALS['BE_USER'] to store the tokens in the user session. However
> this global var is replaced by the one for the simulated user (ugly but
> that's how it is right now).
>
> Solution:
> Save the instance of the backend user during creation of the form
> protection, so persisting and validating tokens is always done with the
> real user session.
+1 on reading and testing.
Thanks,
Jeff
More information about the TYPO3-team-core
mailing list