[TASK] Destroy install tool session on backend user logout 97/58297/6
authorChristian Kuhn <lolli@schwarzbu.ch>
Sun, 16 Sep 2018 19:05:26 +0000 (21:05 +0200)
committerAndreas Fernandez <a.fernandez@scripting-base.de>
Sun, 16 Sep 2018 20:00:32 +0000 (22:00 +0200)
If a system maintainer used the install tool from within the
backend, the session is now destroyed on logout explicitely.

Resolves: #86249
Resolves: #85404
Releases: master
Change-Id: I6bf4f2a724ec85b60854e8f92c00a10e7614f140
Reviewed-on: https://review.typo3.org/58297
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: TYPO3com <no-reply@typo3.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php
typo3/sysext/core/Tests/Unit/Authentication/BackendUserAuthenticationTest.php

index f82743d..97e34ba 100644 (file)
@@ -25,12 +25,14 @@ use TYPO3\CMS\Core\Database\Query\Restriction\BackendWorkspaceRestriction;
 use TYPO3\CMS\Core\Database\Query\Restriction\DeletedRestriction;
 use TYPO3\CMS\Core\Database\Query\Restriction\HiddenRestriction;
 use TYPO3\CMS\Core\Database\Query\Restriction\RootLevelRestriction;
+use TYPO3\CMS\Core\FormProtection\FormProtectionFactory;
 use TYPO3\CMS\Core\Resource\ResourceStorage;
 use TYPO3\CMS\Core\Type\Bitmask\JsConfirmation;
 use TYPO3\CMS\Core\Type\Bitmask\Permission;
 use TYPO3\CMS\Core\Type\Exception\InvalidEnumerationValueException;
 use TYPO3\CMS\Core\Utility\ExtensionManagementUtility;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
+use TYPO3\CMS\Install\Service\SessionService;
 
 /**
  * TYPO3 backend user authentication
@@ -2717,10 +2719,21 @@ This is a dump of the failures:
      */
     public function logoff()
     {
-        if (isset($GLOBALS['BE_USER']) && $GLOBALS['BE_USER'] instanceof self && isset($GLOBALS['BE_USER']->user['uid'])) {
-            \TYPO3\CMS\Core\FormProtection\FormProtectionFactory::get()->clean();
+        if (isset($GLOBALS['BE_USER'])
+            && $GLOBALS['BE_USER'] instanceof self
+            && isset($GLOBALS['BE_USER']->user['uid'])
+        ) {
+            FormProtectionFactory::get()->clean();
             // Release the locked records
             $this->releaseLockedRecords((int)$GLOBALS['BE_USER']->user['uid']);
+
+            if ($this->isSystemMaintainer()) {
+                // If user is system maintainer, destroy its possibly valid install tool session.
+                $session = new SessionService();
+                if ($session->hasSession()) {
+                    $session->destroySession();
+                }
+            }
         }
         parent::logoff();
     }
index 362a0c3..e167194 100644 (file)
@@ -96,7 +96,10 @@ class BackendUserAuthenticationTest extends UnitTestCase
         );
 
         $GLOBALS['BE_USER'] = $this->getMockBuilder(BackendUserAuthentication::class)->getMock();
-        $GLOBALS['BE_USER']->user = ['uid' => $this->getUniqueId()];
+        $GLOBALS['BE_USER']->user = [
+            'uid' => $this->getUniqueId(),
+            'ses_backuserid' => 0,
+        ];
         $GLOBALS['BE_USER']->setLogger(new NullLogger());
 
         /** @var BackendUserAuthentication|\PHPUnit_Framework_MockObject_MockObject $subject */