[!!!][TASK] Remove lockToDomain feature for BE and FE 11/65011/4
authorBenni Mack <benni@typo3.org>
Fri, 10 Jul 2020 18:31:20 +0000 (20:31 +0200)
committerGeorg Ringer <georg.ringer@gmail.com>
Tue, 21 Jul 2020 11:18:40 +0000 (13:18 +0200)
Both fe_users/be_users and be_groups/fe_groups have a feature called "lockToDomain".

Although it is called the same, it has a different use-case:

* Users: If lockToDomain is set, the user is only allowed to login when a given HTTP_HOST is given.
* Groups: If lockToDomain is set, the group is only added to the logged in user, if the HTTP_HOST matches this domain.

Both features are rarely used, and even in multi-tenant setups not viable or flexible
enough. In addition, the features are not any additional security measures as HTTP_HOST can be faked.

They both add unneeded complexity for the rare use of a similar feature,
a custom extension should be used.

Plus: All of these features can be added via extensions, depending on a
specific use case of an installation, so _if_ people use it, custom extensions
should be used instead for the specific use case they have.

The database fields, TCA definitions, labels, domain model logic in Extbase
and actual validation within the AuthenticationService and BE_USER are removed
without any substitution.

Resolves: #91782
Releases: master
Change-Id: I4a12185b79efaf1e3bded5120675e3c1095dcd42
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/65011
Tested-by: Daniel Goerz <daniel.goerz@posteo.de>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Daniel Goerz <daniel.goerz@posteo.de>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
28 files changed:
typo3/sysext/core/Classes/Authentication/AuthenticationService.php
typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php
typo3/sysext/core/Configuration/TCA/be_groups.php
typo3/sysext/core/Configuration/TCA/be_users.php
typo3/sysext/core/Documentation/Changelog/master/Breaking-91782-LockToDomain.rst [new file with mode: 0644]
typo3/sysext/core/Resources/Private/Language/locallang_csh_be_groups.xlf
typo3/sysext/core/Resources/Private/Language/locallang_csh_be_users.xlf
typo3/sysext/core/Resources/Private/Language/locallang_tca.xlf
typo3/sysext/core/Tests/Functional/Authentication/Fixtures/be_groups.xml
typo3/sysext/core/Tests/Functional/Tca/BackendGroupsVisibleFieldsTest.php
typo3/sysext/core/Tests/Functional/Tca/BackendUsersVisibleFieldsTest.php
typo3/sysext/core/Tests/Unit/Authentication/AuthenticationServiceTest.php
typo3/sysext/core/ext_tables.sql
typo3/sysext/extbase/Classes/Domain/Model/BackendUserGroup.php
typo3/sysext/extbase/Classes/Domain/Model/FrontendUser.php
typo3/sysext/extbase/Classes/Domain/Model/FrontendUserGroup.php
typo3/sysext/extbase/Configuration/Extbase/Persistence/Classes.php
typo3/sysext/extbase/Tests/Unit/Domain/Model/BackendUserGroupTest.php
typo3/sysext/extbase/Tests/Unit/Domain/Model/FrontendUserGroupTest.php
typo3/sysext/extbase/Tests/Unit/Domain/Model/FrontendUserTest.php
typo3/sysext/frontend/Configuration/TCA/fe_groups.php
typo3/sysext/frontend/Configuration/TCA/fe_users.php
typo3/sysext/frontend/Resources/Private/Language/locallang_csh_fe_groups.xlf
typo3/sysext/frontend/Resources/Private/Language/locallang_csh_fe_users.xlf
typo3/sysext/frontend/Resources/Private/Language/locallang_tca.xlf
typo3/sysext/frontend/Tests/Functional/Tca/FrontendGroupsVisibleFieldsTest.php
typo3/sysext/frontend/Tests/Functional/Tca/FrontendUsersVisibleFieldsTest.php
typo3/sysext/frontend/ext_tables.sql

index 54b9a2b..7e1e17f 100644 (file)
@@ -86,8 +86,7 @@ class AuthenticationService extends AbstractAuthenticationService
     }
 
     /**
-     * Authenticate a user: Check submitted user credentials against stored hashed password,
-     * check domain lock if configured.
+     * Authenticate a user: Check submitted user credentials against stored hashed password.
      *
      * Returns one of the following status codes:
      *  >= 200: User authenticated successfully. No more checking is needed by other auth services.
@@ -113,12 +112,9 @@ class AuthenticationService extends AbstractAuthenticationService
         $submittedUsername = (string)$this->login['uname'];
         $submittedPassword = (string)$this->login['uident_text'];
         $passwordHashInDatabase = $user['password'];
-        $queriedDomain = $this->authInfo['HTTP_HOST'];
-        $configuredDomainLock = $user['lockToDomain'];
         $userDatabaseTable = $this->db_user['table'];
 
         $isReHashNeeded = false;
-        $isDomainLockMet = false;
 
         $saltFactory = GeneralUtility::makeInstance(PasswordHashFactory::class);
 
@@ -152,13 +148,6 @@ class AuthenticationService extends AbstractAuthenticationService
                 // instances of the same class.
                 $isReHashNeeded = true;
             }
-            if (empty($configuredDomainLock)) {
-                // No domain restriction set for user in db. This is ok.
-                $isDomainLockMet = true;
-            } elseif (!strcasecmp($configuredDomainLock, $queriedDomain)) {
-                // Domain restriction set and it matches given host. Ok.
-                $isDomainLockMet = true;
-            }
         }
 
         if (!$isValidPassword) {
@@ -171,16 +160,6 @@ class AuthenticationService extends AbstractAuthenticationService
             return 0;
         }
 
-        if (!$isDomainLockMet) {
-            // Password ok, but configured domain lock not met
-            $errorMessage = 'Login-attempt from ###IP###, username \'%s\', locked domain \'%s\' did not match \'%s\'!';
-            $this->writeLogMessage($errorMessage, $user[$this->db_user['username_column']], $configuredDomainLock, $queriedDomain);
-            $this->writelog(SystemLogType::LOGIN, SystemLogLoginAction::ATTEMPT, SystemLogErrorClassification::SECURITY_NOTICE, 1, $errorMessage, [$user[$this->db_user['username_column']], $configuredDomainLock, $queriedDomain]);
-            $this->logger->info(sprintf($errorMessage, $user[$this->db_user['username_column']], $configuredDomainLock, $queriedDomain));
-            // Responsible, authentication ok, but domain lock not ok, do NOT check other services
-            return 0;
-        }
-
         if ($isReHashNeeded) {
             // Given password validated but a re-hash is needed. Do so.
             $this->updatePasswordHashInDatabase(
@@ -190,7 +169,7 @@ class AuthenticationService extends AbstractAuthenticationService
             );
         }
 
-        // Responsible, authentication ok, domain lock ok. Log successful login and return 'auth ok, do NOT check other services'
+        // Responsible, authentication ok. Log successful login and return 'auth ok, do NOT check other services'
         $this->writeLogMessage($this->pObj->loginType . ' Authentication successful for username \'%s\'', $submittedUsername);
         return 200;
     }
@@ -236,17 +215,6 @@ class AuthenticationService extends AbstractAuthenticationService
                         $queryBuilder->expr()->in(
                             'uid',
                             $queryBuilder->createNamedParameter($groups, Connection::PARAM_INT_ARRAY)
-                        ),
-                        $queryBuilder->expr()->orX(
-                            $queryBuilder->expr()->eq(
-                                'lockToDomain',
-                                $queryBuilder->createNamedParameter('', \PDO::PARAM_STR)
-                            ),
-                            $queryBuilder->expr()->isNull('lockToDomain'),
-                            $queryBuilder->expr()->eq(
-                                'lockToDomain',
-                                $queryBuilder->createNamedParameter($this->authInfo['HTTP_HOST'], \PDO::PARAM_STR)
-                            )
                         )
                     )
                     ->execute();
@@ -273,7 +241,7 @@ class AuthenticationService extends AbstractAuthenticationService
      */
     public function getSubGroups($grList, $idList, &$groups)
     {
-        // Fetching records of the groups in $grList (which are not blocked by lockedToDomain either):
+        // Fetching records of the groups in $grList:
         $queryBuilder = GeneralUtility::makeInstance(ConnectionPool::class)->getQueryBuilderForTable('fe_groups');
         if (!empty($this->authInfo['showHiddenRecords'])) {
             $queryBuilder->getRestrictions()->removeByType(HiddenRestriction::class);
@@ -289,17 +257,6 @@ class AuthenticationService extends AbstractAuthenticationService
                         GeneralUtility::intExplode(',', $grList, true),
                         Connection::PARAM_INT_ARRAY
                     )
-                ),
-                $queryBuilder->expr()->orX(
-                    $queryBuilder->expr()->eq(
-                        'lockToDomain',
-                        $queryBuilder->createNamedParameter('', \PDO::PARAM_STR)
-                    ),
-                    $queryBuilder->expr()->isNull('lockToDomain'),
-                    $queryBuilder->expr()->eq(
-                        'lockToDomain',
-                        $queryBuilder->createNamedParameter($this->authInfo['HTTP_HOST'], \PDO::PARAM_STR)
-                    )
                 )
             )
             ->execute();
index eb17949..37b7b92 100644 (file)
@@ -1485,7 +1485,7 @@ TCAdefaults.sys_note.email = ' . $this->user['email'];
      */
     public function fetchGroups($grList, $idList = '')
     {
-        // Fetching records of the groups in $grList (which are not blocked by lockedToDomain either):
+        // Fetching records of the groups in $grList:
         $queryBuilder = GeneralUtility::makeInstance(ConnectionPool::class)->getQueryBuilderForTable($this->usergroup_table);
         $expressionBuilder = $queryBuilder->expr();
         $constraints = $expressionBuilder->andX(
@@ -1499,14 +1499,6 @@ TCAdefaults.sys_note.email = ' . $this->user['email'];
                     GeneralUtility::intExplode(',', $grList),
                     Connection::PARAM_INT_ARRAY
                 )
-            ),
-            $expressionBuilder->orX(
-                $expressionBuilder->eq('lockToDomain', $queryBuilder->quote('')),
-                $expressionBuilder->isNull('lockToDomain'),
-                $expressionBuilder->eq(
-                    'lockToDomain',
-                    $queryBuilder->createNamedParameter(GeneralUtility::getIndpEnv('HTTP_HOST'), \PDO::PARAM_STR)
-                )
             )
         );
         // Hook for manipulation of the WHERE sql sentence which controls which BE-groups are included
index d72886e..5944200 100644 (file)
@@ -19,7 +19,7 @@ return [
             'disabled' => 'hidden'
         ],
         'title' => 'LLL:EXT:core/Resources/Private/Language/locallang_tca.xlf:be_groups',
-        'useColumnsForDefaultValues' => 'lockToDomain, file_permissions',
+        'useColumnsForDefaultValues' => 'file_permissions',
         'versioningWS_alwaysAllowLiveEdit' => true,
         'searchFields' => 'title'
     ],
@@ -203,16 +203,6 @@ return [
                 ],
             ]
         ],
-        'lockToDomain' => [
-            'label' => 'LLL:EXT:core/Resources/Private/Language/locallang_tca.xlf:lockToDomain',
-            'config' => [
-                'type' => 'input',
-                'size' => 20,
-                'eval' => 'trim',
-                'max' => 50,
-                'softref' => 'substitute'
-            ]
-        ],
         'groupMods' => [
             'label' => 'LLL:EXT:core/Resources/Private/Language/locallang_tca.xlf:userMods',
             'config' => [
@@ -282,7 +272,7 @@ return [
             --div--;LLL:EXT:core/Resources/Private/Language/locallang_tca.xlf:be_groups.tabs.mounts_and_workspaces,
                 workspace_perms, db_mountpoints, file_mountpoints, file_permissions, category_perms,
             --div--;LLL:EXT:core/Resources/Private/Language/locallang_tca.xlf:be_groups.tabs.options,
-                lockToDomain, TSconfig,
+                TSconfig,
             --div--;LLL:EXT:core/Resources/Private/Language/Form/locallang_tabs.xlf:access,
                 hidden,
             --div--;LLL:EXT:core/Resources/Private/Language/Form/locallang_tabs.xlf:notes,
index f4b69b1..f0fc3fc 100644 (file)
@@ -24,7 +24,7 @@ return [
             '1' => 'status-user-admin',
             'default' => 'status-user-backend'
         ],
-        'useColumnsForDefaultValues' => 'usergroup,lockToDomain,options,db_mountpoints,file_mountpoints,file_permissions,userMods',
+        'useColumnsForDefaultValues' => 'usergroup,options,db_mountpoints,file_mountpoints,file_permissions,userMods',
         'versioningWS_alwaysAllowLiveEdit' => true,
         'searchFields' => 'username,email,realName'
     ],
@@ -97,16 +97,6 @@ return [
                 $GLOBALS['TYPO3_CONF_VARS']['GFX']['imagefile_ext']
             )
         ],
-        'lockToDomain' => [
-            'label' => 'LLL:EXT:core/Resources/Private/Language/locallang_tca.xlf:lockToDomain',
-            'config' => [
-                'type' => 'input',
-                'size' => 20,
-                'eval' => 'trim',
-                'max' => 50,
-                'softref' => 'substitute'
-            ]
-        ],
         'db_mountpoints' => [
             'label' => 'LLL:EXT:core/Resources/Private/Language/locallang_tca.xlf:be_users.options_db_mounts',
             'config' => [
@@ -385,7 +375,7 @@ return [
             --div--;LLL:EXT:core/Resources/Private/Language/locallang_tca.xlf:be_users.tabs.mounts_and_workspaces,
                 workspace_perms, db_mountpoints, options, file_mountpoints, file_permissions, category_perms,
             --div--;LLL:EXT:core/Resources/Private/Language/locallang_tca.xlf:be_users.tabs.options,
-                lockToDomain, disableIPlock, TSconfig,
+                disableIPlock, TSconfig,
             --div--;LLL:EXT:core/Resources/Private/Language/Form/locallang_tabs.xlf:access,
                 --palette--;;timeRestriction,
             --div--;LLL:EXT:core/Resources/Private/Language/Form/locallang_tabs.xlf:notes,
diff --git a/typo3/sysext/core/Documentation/Changelog/master/Breaking-91782-LockToDomain.rst b/typo3/sysext/core/Documentation/Changelog/master/Breaking-91782-LockToDomain.rst
new file mode 100644 (file)
index 0000000..bb0a5d7
--- /dev/null
@@ -0,0 +1,55 @@
+.. include:: ../../Includes.txt
+
+======================================================================================================
+Breaking: #91782 - lockToDomain feature for frontend users / groups and backend users / groups removed
+======================================================================================================
+
+See :issue:`91782`
+
+Description
+===========
+
+TYPO3 Core shipped with a feature called "lockToDomain" for Frontend users and backend users which made the user login only valid if the exact given HTTP_HOST matches the filled domain.
+
+A similar functionality, but with the same name for groups existed, which only added the group to a specific user during a session, if the user was accessing a TYPO3 site under a specific domain.
+
+Both features have been removed.
+
+Impact
+======
+
+Frontend users or backend users that have this option set previously, will now be able to login independent of the defined HTTP_HOST header sent with the login page.
+
+Regardless of any setting of the "lockToDomain" setting of a specific group, all groups added
+to a user are now applied during login of a user, both for frontend and backend.
+
+
+Affected Installations
+======================
+
+TYPO3 Installations using this feature in their database records. When in doubt, this can be identified by running SQL SELECT statements to identify users actively using this feature.
+
+Frontend Users:
+* "SELECT uid, pid, username FROM fe_users WHERE lockToDomain != '' AND lockToDomain IS NOT NULL;"
+
+Backend Users:
+* "SELECT uid, pid, username FROM be_users WHERE lockToDomain != '' AND lockToDomain IS NOT NULL;"
+
+Frontend Groups:
+* "SELECT uid, pid, username FROM fe_groups WHERE lockToDomain != '' AND lockToDomain IS NOT NULL;"
+
+Backend Groups:
+* "SELECT uid, pid, username FROM be_groups WHERE lockToDomain != '' AND lockToDomain IS NOT NULL;"
+
+
+Migration
+=========
+
+Any installations needing this feature should build this in
+custom extensions extending TCA and a custom Authentication Service.
+
+In addition, if such a feature is needed for frontend users
+or groups, it is recommended to use the storagePid option to limit
+frontend user login by Storage Folders.
+
+.. index:: Database, TCA, NotScanned, ext:core
\ No newline at end of file
index d1778fd..c148a61 100644 (file)
@@ -203,19 +203,6 @@ Examples from "Getting Started" | https://docs.typo3.org/typo3cms/GettingStarted
                        <trans-unit id="hidden.details" resname="hidden.details">
                                <source>If you disable a user group all users which are members of the group will in effect not inherit any properties this group may have given them.</source>
                        </trans-unit>
-                       <trans-unit id="lockToDomain.description" resname="lockToDomain.description">
-                               <source>Enter the host name from which the user is forced to login. NOTICE: this is not a security feature and can be circumvented by faking HTTP_HOST.</source>
-                       </trans-unit>
-                       <trans-unit id="lockToDomain.details" resname="lockToDomain.details" xml:space="preserve">
-                               <source>A TYPO3 system may host multiple websites on multiple domains. Therefore this option secures that users can login only from a certain host name.
-Setting this to for example "www.my-domain.com" will require a user to be logged in from that domain if membership of this group should be gained. Otherwise the group will be ignored for the user.</source>
-                       </trans-unit>
-                       <trans-unit id="_lockToDomain.seeAlso" resname="_lockToDomain.seeAlso" xml:space="preserve">
-                               <source>be_users:lockToDomain,
-fe_users:lockToDomain,
-fe_groups:lockToDomain</source>
-                               <note from="developer">This string contains an internal text, which must not be changed. Just copy the original text into the translation field. For more information have a look at the Tutorial.</note>
-                       </trans-unit>
                        <trans-unit id="groupMods.description" resname="groupMods.description">
                                <source>Select available backend modules for the group members.</source>
                        </trans-unit>
index 75d6036..075f8b4 100644 (file)
@@ -77,18 +77,6 @@ The first (top) group in the list is the group which will, by default, be the ow
 be_groups</source>
                                <note from="developer">This string contains an internal text, which must not be changed. Just copy the original text into the translation field. For more information have a look at the Tutorial.</note>
                        </trans-unit>
-                       <trans-unit id="lockToDomain.description" resname="lockToDomain.description">
-                               <source>Enter the host name from which the user is forced to login. NOTICE: this is not a security feature and can be circumvented by faking HTTP_HOST.</source>
-                       </trans-unit>
-                       <trans-unit id="lockToDomain.details" resname="lockToDomain.details">
-                               <source>A TYPO3 system may have multiple domains pointing to it. Therefore this option secures that users can login only from a certain host name.</source>
-                       </trans-unit>
-                       <trans-unit id="_lockToDomain.seeAlso" resname="_lockToDomain.seeAlso" xml:space="preserve">
-                               <source>be_groups:lockToDomain,
-fe_users:lockToDomain,
-fe_groups:lockToDomain</source>
-                               <note from="developer">This string contains an internal text, which must not be changed. Just copy the original text into the translation field. For more information have a look at the Tutorial.</note>
-                       </trans-unit>
                        <trans-unit id="disableIPlock.description" resname="disableIPlock.description">
                                <source>Disable the lock of the backend users session to the remote IP number.</source>
                        </trans-unit>
index 15d699e..ba785cc 100644 (file)
@@ -48,9 +48,6 @@
                        <trans-unit id="TSconfig_title" resname="TSconfig_title">
                                <source>TSconfig QuickReference</source>
                        </trans-unit>
-                       <trans-unit id="lockToDomain" resname="lockToDomain">
-                               <source>Lock to domain</source>
-                       </trans-unit>
                        <trans-unit id="be_users.username" resname="be_users.username">
                                <source>Username</source>
                        </trans-unit>
index 0f7b40b..4fe8513 100644 (file)
@@ -4,7 +4,6 @@
         <uid>1</uid>
         <pid>0</pid>
         <title>editor group</title>
-        <lockToDomain></lockToDomain>
         <workspace_perms>0</workspace_perms>
         <db_mountpoints>1,3,4,5,40</db_mountpoints>
         <tstamp>1544454571</tstamp>
index 3850c12..5fedc06 100644 (file)
@@ -38,7 +38,6 @@ class BackendGroupsVisibleFieldsTest extends FunctionalTestCase
         'file_mountpoints',
         'file_permissions',
         'category_perms',
-        'lockToDomain',
         'TSconfig',
     ];
 
index 0e1ed2f..d593706 100644 (file)
@@ -40,7 +40,6 @@ class BackendUsersVisibleFieldsTest extends FunctionalTestCase
         'file_mountpoints',
         'file_permissions',
         'category_perms',
-        'lockToDomain',
         'TSconfig',
         'starttime',
         'endtime',
@@ -52,7 +51,6 @@ class BackendUsersVisibleFieldsTest extends FunctionalTestCase
         'workspace_perms',
         'file_permissions',
         'category_perms',
-        'lockToDomain',
     ];
 
     /**
index e7c6237..91c00e6 100644 (file)
@@ -153,7 +153,6 @@ class AuthenticationServiceTest extends UnitTestCase
         );
         $dbUser = [
             'password' => 'aPlainTextPassword',
-            'lockToDomain' => ''
         ];
         self::assertEquals(100, $subject->authUser($dbUser));
     }
@@ -183,7 +182,6 @@ class AuthenticationServiceTest extends UnitTestCase
         $dbUser = [
             // a phpass hash of 'myPassword'
             'password' => '$P$C/2Vr3ywuuPo5C7cs75YBnVhgBWpMP1',
-            'lockToDomain' => ''
         ];
         self::assertSame(0, $subject->authUser($dbUser));
     }
@@ -213,43 +211,7 @@ class AuthenticationServiceTest extends UnitTestCase
         $dbUser = [
             // an argon2i hash of 'myPassword'
             'password' => '$argon2i$v=19$m=65536,t=16,p=1$eGpyelFZbkpRdXN3QVhsUA$rd4abz2fcuksGu3b3fipglQZtHbIy+M3XoIS+sNVSl4',
-            'lockToDomain' => ''
         ];
         self::assertSame(200, $subject->authUser($dbUser));
     }
-
-    /**
-     * @test
-     */
-    public function authUserReturns0IfPasswordMatchButDomainLockDoesNotMatch(): void
-    {
-        $subject = new AuthenticationService();
-        $pObjProphecy = $this->prophesize(AbstractUserAuthentication::class);
-        $pObjProphecy->loginType = 'BE';
-        $loggerProphecy = $this->prophesize(Logger::class);
-        $subject->setLogger($loggerProphecy->reveal());
-        $subject->initAuth(
-            'authUserBE',
-            [
-                'uident_text' => 'myPassword',
-                'uname' => 'lolli'
-            ],
-            [
-                'db_user' => [
-                    'table' => 'be_users',
-                    'username_column' => 'username',
-                ],
-                'REMOTE_HOST' => '',
-                'HTTP_HOST' => 'example.com',
-            ],
-            $pObjProphecy->reveal()
-        );
-        $dbUser = [
-            // an argon2i hash of 'myPassword'
-            'password' => '$argon2i$v=19$m=65536,t=16,p=2$LnUzc3ZISWJwQWlSbmpkYw$qD1sRsJFzkUmjcEaKzDeg6LtflwdTpo49VbH3tMeMXU',
-            'username' => 'lolli',
-            'lockToDomain' => 'not.example.com'
-        ];
-        self::assertSame(0, $subject->authUser($dbUser));
-    }
 }
index d13f155..99a097d 100644 (file)
@@ -15,7 +15,6 @@ CREATE TABLE be_groups (
        availableWidgets text,
        file_mountpoints text,
        file_permissions text,
-       lockToDomain varchar(50) DEFAULT '' NOT NULL,
        TSconfig text,
        subgroup text,
        workspace_perms tinyint(3) DEFAULT '1' NOT NULL,
@@ -56,7 +55,6 @@ CREATE TABLE be_users (
        file_mountpoints text,
        file_permissions text,
        workspace_perms tinyint(3) DEFAULT '1' NOT NULL,
-       lockToDomain varchar(50) DEFAULT '' NOT NULL,
        disableIPlock tinyint(1) unsigned DEFAULT '0' NOT NULL,
        TSconfig text,
        lastlogin int(10) unsigned DEFAULT '0' NOT NULL,
index 199f45d..5e37d76 100644 (file)
@@ -98,11 +98,6 @@ class BackendUserGroup extends AbstractEntity
     /**
      * @var string
      */
-    protected $lockToDomain = '';
-
-    /**
-     * @var string
-     */
     protected $tsConfig = '';
 
     /**
@@ -484,26 +479,6 @@ class BackendUserGroup extends AbstractEntity
     }
 
     /**
-     * Setter for lock to domain
-     *
-     * @param string $lockToDomain
-     */
-    public function setLockToDomain($lockToDomain)
-    {
-        $this->lockToDomain = $lockToDomain;
-    }
-
-    /**
-     * Getter for lock to domain
-     *
-     * @return string
-     */
-    public function getLockToDomain()
-    {
-        return $this->lockToDomain;
-    }
-
-    /**
      * Setter for ts config
      *
      * @param string $tsConfig
index 5073041..338fb67 100644 (file)
@@ -81,11 +81,6 @@ class FrontendUser extends AbstractEntity
     /**
      * @var string
      */
-    protected $lockToDomain = '';
-
-    /**
-     * @var string
-     */
     protected $title = '';
 
     /**
@@ -380,26 +375,6 @@ class FrontendUser extends AbstractEntity
     }
 
     /**
-     * Sets the lockToDomain value
-     *
-     * @param string $lockToDomain
-     */
-    public function setLockToDomain($lockToDomain)
-    {
-        $this->lockToDomain = $lockToDomain;
-    }
-
-    /**
-     * Returns the lockToDomain value
-     *
-     * @return string
-     */
-    public function getLockToDomain()
-    {
-        return $this->lockToDomain;
-    }
-
-    /**
      * Sets the title value
      *
      * @param string $title
index d4fcdec..900fe6c 100644 (file)
@@ -31,11 +31,6 @@ class FrontendUserGroup extends AbstractEntity
     /**
      * @var string
      */
-    protected $lockToDomain = '';
-
-    /**
-     * @var string
-     */
     protected $description = '';
 
     /**
@@ -75,26 +70,6 @@ class FrontendUserGroup extends AbstractEntity
     }
 
     /**
-     * Sets the lockToDomain value
-     *
-     * @param string $lockToDomain
-     */
-    public function setLockToDomain($lockToDomain)
-    {
-        $this->lockToDomain = $lockToDomain;
-    }
-
-    /**
-     * Returns the lockToDomain value
-     *
-     * @return string
-     */
-    public function getLockToDomain()
-    {
-        return $this->lockToDomain;
-    }
-
-    /**
      * Sets the description value
      *
      * @param string $description
index 4aca987..3515787 100644 (file)
@@ -74,9 +74,6 @@ return [
             'fileOperationPermissions' => [
                 'fieldName' => 'file_permissions'
             ],
-            'lockToDomain' => [
-                'fieldName' => 'lockToDomain'
-            ],
             'tsConfig' => [
                 'fieldName' => 'TSconfig'
             ],
@@ -84,19 +81,9 @@ return [
     ],
     \TYPO3\CMS\Extbase\Domain\Model\FrontendUser::class => [
         'tableName' => 'fe_users',
-        'properties' => [
-            'lockToDomain' => [
-                'fieldName' => 'lockToDomain'
-            ],
-        ],
     ],
     \TYPO3\CMS\Extbase\Domain\Model\FrontendUserGroup::class => [
         'tableName' => 'fe_groups',
-        'properties' => [
-            'lockToDomain' => [
-                'fieldName' => 'lockToDomain'
-            ],
-        ],
     ],
     \TYPO3\CMS\Extbase\Domain\Model\Category::class => [
         'tableName' => 'sys_category',
index 9c99c6d..355abda 100644 (file)
@@ -432,24 +432,6 @@ class BackendUserGroupTest extends UnitTestCase
     /**
      * @test
      */
-    public function getLockToDomainInitiallyReturnsEmptyString()
-    {
-        self::assertSame('', $this->subject->getLockToDomain());
-    }
-
-    /**
-     * @test
-     */
-    public function setLockToDomainSetsLockToDomain()
-    {
-        $lockToDomain = 'foo.bar';
-        $this->subject->setLockToDomain($lockToDomain);
-        self::assertSame($lockToDomain, $this->subject->getLockToDomain());
-    }
-
-    /**
-     * @test
-     */
     public function getTsConfigInitiallyReturnsEmptyString()
     {
         self::assertSame('', $this->subject->getTsConfig());
index f95205b..e1000b7 100644 (file)
@@ -67,24 +67,6 @@ class FrontendUserGroupTest extends UnitTestCase
     /**
      * @test
      */
-    public function getLockToDomainInitiallyReturnsEmptyString()
-    {
-        self::assertSame('', $this->subject->getLockToDomain());
-    }
-
-    /**
-     * @test
-     */
-    public function setLockToDomainSetsLockToDomain()
-    {
-        $lockToDomain = 'foo.bar';
-        $this->subject->setLockToDomain($lockToDomain);
-        self::assertSame($lockToDomain, $this->subject->getLockToDomain());
-    }
-
-    /**
-     * @test
-     */
     public function getDescriptionInitiallyReturnsEmptyString()
     {
         self::assertSame('', $this->subject->getDescription());
index 36ddd73..92171b1 100644 (file)
@@ -254,24 +254,6 @@ class FrontendUserTest extends UnitTestCase
     /**
      * @test
      */
-    public function getLockToDomainInitiallyReturnsEmptyString()
-    {
-        self::assertSame('', $this->subject->getLockToDomain());
-    }
-
-    /**
-     * @test
-     */
-    public function setLockToDomainSetsLockToDomain()
-    {
-        $lockToDomain = 'foo.bar';
-        $this->subject->setLockToDomain($lockToDomain);
-        self::assertSame($lockToDomain, $this->subject->getLockToDomain());
-    }
-
-    /**
-     * @test
-     */
     public function getTitleInitiallyReturnsEmptyString()
     {
         self::assertSame('', $this->subject->getTitle());
index 118c318..19b4077 100644 (file)
@@ -17,7 +17,6 @@ return [
         'typeicon_classes' => [
             'default' => 'status-user-group-frontend'
         ],
-        'useColumnsForDefaultValues' => 'lockToDomain',
         'searchFields' => 'title,description'
     ],
     'columns' => [
@@ -60,16 +59,6 @@ return [
                 'maxitems' => 20
             ]
         ],
-        'lockToDomain' => [
-            'exclude' => true,
-            'label' => 'LLL:EXT:frontend/Resources/Private/Language/locallang_tca.xlf:fe_groups.lockToDomain',
-            'config' => [
-                'type' => 'input',
-                'size' => 20,
-                'eval' => 'trim',
-                'max' => 50
-            ]
-        ],
         'description' => [
             'label' => 'LLL:EXT:core/Resources/Private/Language/locallang_general.xlf:LGL.description',
             'config' => [
@@ -95,7 +84,7 @@ return [
             --div--;LLL:EXT:core/Resources/Private/Language/Form/locallang_tabs.xlf:general,
                 title,subgroup,
             --div--;LLL:EXT:frontend/Resources/Private/Language/locallang_tca.xlf:fe_groups.tabs.options,
-                lockToDomain, TSconfig,
+                TSconfig,
             --div--;LLL:EXT:core/Resources/Private/Language/Form/locallang_tabs.xlf:access,
                 hidden,
             --div--;LLL:EXT:core/Resources/Private/Language/Form/locallang_tabs.xlf:notes,
index 73ad64f..7a147be 100644 (file)
@@ -18,7 +18,7 @@ return [
         'typeicon_classes' => [
             'default' => 'status-user-frontend'
         ],
-        'useColumnsForDefaultValues' => 'usergroup,lockToDomain,disable,starttime,endtime',
+        'useColumnsForDefaultValues' => 'usergroup,disable,starttime,endtime',
         'searchFields' => 'username,name,first_name,last_name,middle_name,address,telephone,fax,email,title,zip,city,country,company,description'
     ],
     'columns' => [
@@ -53,17 +53,6 @@ return [
                 'maxitems' => 50
             ]
         ],
-        'lockToDomain' => [
-            'exclude' => true,
-            'label' => 'LLL:EXT:frontend/Resources/Private/Language/locallang_tca.xlf:fe_users.lockToDomain',
-            'config' => [
-                'type' => 'input',
-                'size' => 20,
-                'eval' => 'trim',
-                'max' => 50,
-                'softref' => 'substitute'
-            ]
-        ],
         'name' => [
             'exclude' => true,
             'label' => 'LLL:EXT:core/Resources/Private/Language/locallang_general.xlf:LGL.name',
@@ -292,7 +281,7 @@ return [
                 --div--;LLL:EXT:frontend/Resources/Private/Language/locallang_tca.xlf:fe_users.tabs.personelData,
                     company, title, name, --palette--;;2, address, zip, city, country, telephone, fax, email, www, image,
                 --div--;LLL:EXT:frontend/Resources/Private/Language/locallang_tca.xlf:fe_users.tabs.options,
-                    lockToDomain, TSconfig,
+                    TSconfig,
                 --div--;LLL:EXT:core/Resources/Private/Language/Form/locallang_tabs.xlf:access,
                     disable,--palette--;;timeRestriction,
                 --div--;LLL:EXT:core/Resources/Private/Language/Form/locallang_tabs.xlf:notes,
index af1b4ee..9900915 100644 (file)
@@ -20,18 +20,6 @@ For instance if a page or content element was assigned access only by this group
                        <trans-unit id="title.details" resname="title.details">
                                <source>This title will appear as the group name in the 'Access'-list in other records.</source>
                        </trans-unit>
-                       <trans-unit id="lockToDomain.description" resname="lockToDomain.description">
-                               <source>Enter the host name from which the group will be available only. NOTICE: this is not a security feature and can be circumvented by faking HTTP_HOST.</source>
-                       </trans-unit>
-                       <trans-unit id="lockToDomain.details" resname="lockToDomain.details" xml:space="preserve">
-                               <source>This options may be important if you have multiple websites in the same TYPO3 database but still only one main storage page for all Website users. Thus the users may log in on any of the website URLs. This may be considered a feature (having a global login as a user) or a problem (in which case you should have multiple user storages anyway). However you may wish to limit the use of a Website usergroup to a specific website and thus you don't want the group to be enabled for the user when he logs in at another URL (still from the same database of course). By entering the host name of the website here, you restrict the group to be used only from within this domain.
-
-&lt;b&gt;Notice:&lt;/b&gt; The use for this option is not critical if you have multiple Website user storages, namely one for each site.</source>
-                       </trans-unit>
-                       <trans-unit id="_lockToDomain.seeAlso" resname="_lockToDomain.seeAlso">
-                               <source>fe_users:lockToDomain</source>
-                               <note from="developer">This string contains an internal text, which must not be changed. Just copy the original text into the translation field. For more information have a look at the Tutorial.</note>
-                       </trans-unit>
                        <trans-unit id="subgroup.description" resname="subgroup.description">
                                <source>Member of other groups.</source>
                        </trans-unit>
index 17b0da2..63a9c72 100644 (file)
                        <trans-unit id="usergroup.details" resname="usergroup.details">
                                <source>When a user logs in he is able to view all content which is access restricted to the user &lt;em&gt;group(s)&lt;/em&gt; the user is a member of. Therefore the user login primarily makes sense with regard to the member groups.</source>
                        </trans-unit>
-                       <trans-unit id="lockToDomain.description" resname="lockToDomain.description">
-                               <source>Enter the host name from which the user is forced to login. NOTICE: this is not a security feature and can be circumvented by faking HTTP_HOST.</source>
-                       </trans-unit>
-                       <trans-unit id="lockToDomain.details" resname="lockToDomain.details">
-                               <source>A TYPO3 system may have multiple domains pointing to it. Therefore this option secures that users can login only from a certain host name.</source>
-                       </trans-unit>
-                       <trans-unit id="lockToDomain.syntax" resname="lockToDomain.syntax">
-                               <source>Either a domain name, "www.typo3.org" or an IP address, "10.34.222.83"</source>
-                       </trans-unit>
-                       <trans-unit id="_lockToDomain.seeAlso" resname="_lockToDomain.seeAlso">
-                               <source>fe_groups:lockToDomain</source>
-                               <note from="developer">This string contains an internal text, which must not be changed. Just copy the original text into the translation field. For more information have a look at the Tutorial.</note>
-                       </trans-unit>
                        <trans-unit id="name.description" resname="name.description">
                                <source>Enter the regular name of the user, both first- and surname.</source>
                        </trans-unit>
index 0ee88c4..b2e2e7f 100644 (file)
                        <trans-unit id="fe_users.usergroup" resname="fe_users.usergroup">
                                <source>Groups</source>
                        </trans-unit>
-                       <trans-unit id="fe_users.lockToDomain" resname="fe_users.lockToDomain">
-                               <source>Lock to Domain</source>
-                       </trans-unit>
                        <trans-unit id="fe_users.tabs.personelData" resname="fe_users.tabs.personelData">
                                <source>Personal Data</source>
                        </trans-unit>
                        <trans-unit id="fe_groups.title" resname="fe_groups.title">
                                <source>Group Title</source>
                        </trans-unit>
-                       <trans-unit id="fe_groups.lockToDomain" resname="fe_groups.lockToDomain">
-                               <source>Lock to Domain</source>
-                       </trans-unit>
                        <trans-unit id="fe_groups.subgroup" resname="fe_groups.subgroup">
                                <source>Subgroups</source>
                        </trans-unit>
index 662899a..495bcb8 100644 (file)
@@ -27,7 +27,6 @@ class FrontendGroupsVisibleFieldsTest extends FunctionalTestCase
         'title',
         'description',
         'subgroup',
-        'lockToDomain',
         'TSconfig',
         'tx_extbase_type',
     ];
index f254638..742f632 100644 (file)
@@ -42,7 +42,6 @@ class FrontendUsersVisibleFieldsTest extends FunctionalTestCase
         'email',
         'www',
         'image',
-        'lockToDomain',
         'TSconfig',
         'starttime',
         'endtime',
index b6839a0..b1065cd 100644 (file)
@@ -16,7 +16,6 @@ CREATE TABLE cache_treelist (
 #
 CREATE TABLE fe_groups (
        title varchar(50) DEFAULT '' NOT NULL,
-       lockToDomain varchar(50) DEFAULT '' NOT NULL,
        subgroup tinytext,
        TSconfig text
 );
@@ -53,7 +52,6 @@ CREATE TABLE fe_users (
        telephone varchar(30) DEFAULT '' NOT NULL,
        fax varchar(30) DEFAULT '' NOT NULL,
        email varchar(255) DEFAULT '' NOT NULL,
-       lockToDomain varchar(50) DEFAULT '' NOT NULL,
        uc blob,
        title varchar(40) DEFAULT '' NOT NULL,
        zip varchar(10) DEFAULT '' NOT NULL,