[BUGFIX] Set correct HTTP header when page access is denied 95/54495/4
authorMarkus Klein <markus.klein@typo3.org>
Sun, 29 Oct 2017 17:37:52 +0000 (18:37 +0100)
committerSusanne Moog <susanne.moog@typo3.org>
Tue, 28 Nov 2017 07:51:05 +0000 (08:51 +0100)
Accessing an existing page with insufficient permissions should
not set a 404 header but a 403 header.

Resolves: #23178
Releases: master, 8.7
Change-Id: I2470434f7600b28eaa613ee4e1669e78ceaaaec3
Reviewed-on: https://review.typo3.org/54495
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Susanne Moog <susanne.moog@typo3.org>
Tested-by: Susanne Moog <susanne.moog@typo3.org>
typo3/sysext/core/Configuration/DefaultConfiguration.php
typo3/sysext/core/Configuration/DefaultConfigurationDescription.yaml
typo3/sysext/core/Documentation/Changelog/8.7/Important-23178-NewTYPO3_CONF_VARSOptionFEpageNotFound_handling_accessdeniedheader.rst [new file with mode: 0644]
typo3/sysext/core/Documentation/Changelog/master/Important-23178-NewTYPO3_CONF_VARSOptionFEpageNotFound_handling_accessdeniedheader.rst [new file with mode: 0644]
typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php

index 6c82217..4fbefad 100644 (file)
@@ -1016,6 +1016,7 @@ return [
         'compressionLevel' => 0,
         'pageNotFound_handling' => '',
         'pageNotFound_handling_statheader' => 'HTTP/1.0 404 Not Found',
+        'pageNotFound_handling_accessdeniedheader' => 'HTTP/1.0 403 Access denied',
         'pageNotFoundOnCHashError' => true,
         'pageUnavailable_handling' => '',
         'pageUnavailable_handling_statheader' => 'HTTP/1.0 503 Service Temporarily Unavailable',
index 1c4b6d1..b281eda 100644 (file)
@@ -352,7 +352,10 @@ FE:
             description: '<p>How TYPO3 should handle requests for non-existing/accessible pages.</p> <dl><dt>empty (default)</dt><dd>The next visible page upwards in the page tree is shown.</dd> <dt>''true'' or ''1''</dt><dd>An error message is shown.</dd><dt>String</dt><dd>Static HTML file to show (reads content and outputs with correct headers), e.g. ''notfound.html'' or ''http://www.example.org/errors/notfound.html''.</dd> <dt>Prefix "REDIRECT:"</dt><dd> If prefixed with "REDIRECT:" it will redirect to the URL/script after the prefix.</dd><dt>Prefix "READFILE:"</dt><dd>If prefixed with "READFILE" then it will expect the remaining string to be a HTML file which will be read and outputted directly after having the marker "###CURRENT_URL###" substituted with REQUEST_URI and ###REASON### with reason text, for example: "READFILE:fileadmin/notfound.html".</dd> <dt>Prefix "USER_FUNCTION:"</dt><dd> If prefixed with "USER_FUNCTION:" a user function is called, e.g. "USER_FUNCTION:fileadmin/class.user_notfound.php:user_notFound->pageNotFound" where the file must contain a class "user_notFound" with a method "pageNotFound" inside with two parameters $param and $ref.</dd></dl>'
         pageNotFound_handling_statheader:
             type: text
-            description: 'If ''pageNotFound_handling'' is enabled, this string will always be sent as header before the actual handling.'
+            description: 'If ''pageNotFound_handling'' is enabled, this string will always be sent as header before the actual handling. This applies to non-access-restriction related errors.'
+        pageNotFound_handling_accessdeniedheader:
+            type: text
+            description: 'If ''pageNotFound_handling'' is enabled, this string will always be sent as header before the actual handling. This applies to access-restricted related errors.'
         pageNotFoundOnCHashError:
             type: bool
             description: 'If TRUE, a page not found call is made when cHash evaluation error occurs, otherwise caching is disabled and page output is displayed.'
diff --git a/typo3/sysext/core/Documentation/Changelog/8.7/Important-23178-NewTYPO3_CONF_VARSOptionFEpageNotFound_handling_accessdeniedheader.rst b/typo3/sysext/core/Documentation/Changelog/8.7/Important-23178-NewTYPO3_CONF_VARSOptionFEpageNotFound_handling_accessdeniedheader.rst
new file mode 100644 (file)
index 0000000..597d520
--- /dev/null
@@ -0,0 +1,18 @@
+.. include:: ../../Includes.txt
+
+==========================================================================================
+Important: #23178 - New TYPO3_CONF_VARS option FE|pageNotFound_handling_accessdeniedheader
+==========================================================================================
+
+See :issue:`23178`
+
+Description
+===========
+
+In order to send a correct HTTP header to the browser when access to a page is denied,
+a new option TYPO3_CONF_VARS is introduced.
+
+The option :php:`FE|pageNotFound_handling_accessdeniedheader` allows to configure the
+header which defaults to :php:`HTTP/1.0 403 Access denied`.
+
+.. index:: Frontend, LocalConfiguration, NotScanned
\ No newline at end of file
diff --git a/typo3/sysext/core/Documentation/Changelog/master/Important-23178-NewTYPO3_CONF_VARSOptionFEpageNotFound_handling_accessdeniedheader.rst b/typo3/sysext/core/Documentation/Changelog/master/Important-23178-NewTYPO3_CONF_VARSOptionFEpageNotFound_handling_accessdeniedheader.rst
new file mode 100644 (file)
index 0000000..597d520
--- /dev/null
@@ -0,0 +1,18 @@
+.. include:: ../../Includes.txt
+
+==========================================================================================
+Important: #23178 - New TYPO3_CONF_VARS option FE|pageNotFound_handling_accessdeniedheader
+==========================================================================================
+
+See :issue:`23178`
+
+Description
+===========
+
+In order to send a correct HTTP header to the browser when access to a page is denied,
+a new option TYPO3_CONF_VARS is introduced.
+
+The option :php:`FE|pageNotFound_handling_accessdeniedheader` allows to configure the
+header which defaults to :php:`HTTP/1.0 403 Access denied`.
+
+.. index:: Frontend, LocalConfiguration, NotScanned
\ No newline at end of file
index 2bd0d40..130be8e 100644 (file)
@@ -1344,7 +1344,11 @@ class TypoScriptFrontendController implements LoggerAwareInterface
                 3 => 'ID was outside the domain',
                 4 => 'The requested page alias does not exist'
             ];
-            $this->pageNotFoundAndExit($pNotFoundMsg[$this->pageNotFound]);
+            $header = '';
+            if ($this->pageNotFound === 1 || $this->pageNotFound === 2) {
+                $header = $GLOBALS['TYPO3_CONF_VARS']['FE']['pageNotFound_handling_accessdeniedheader'];
+            }
+            $this->pageNotFoundAndExit($pNotFoundMsg[$this->pageNotFound], $header);
         }
         // Init SYS_LASTCHANGED
         $this->register['SYS_LASTCHANGED'] = (int)$this->page['tstamp'];