[BUGFIX] Fix system maintainer access 65/53965/3
authorHelmut Hummel <typo3@helhum.io>
Thu, 7 Sep 2017 17:27:13 +0000 (19:27 +0200)
committerChristian Kuhn <lolli@schwarzbu.ch>
Sat, 9 Sep 2017 09:36:57 +0000 (11:36 +0200)
Fix a check to not allow acces to admin users
but system maintainers only.

Change-Id: I2e5209bbaf7c3e3cee013d1fa08f48ff7e776956
Resolves: #82396
Related: #82306
Related: #82395
Releases: master
Reviewed-on: https://review.typo3.org/53965
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
typo3/sysext/backend/Classes/Module/ModuleLoader.php
typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php

index 462c28c..ea1a91f 100644 (file)
@@ -262,7 +262,7 @@ class ModuleLoader
         }
         $access = strtolower($MCONF['access']);
         // Check if this module is only allowed by system maintainers (= admins who are in the list of system maintainers)
-        if (strpos($access, BackendUserAuthentication::ROLE_SYSTEMMAINTAINER) !== false) {
+        if (strpos($MCONF['access'], BackendUserAuthentication::ROLE_SYSTEMMAINTAINER) !== false) {
             return $this->BE_USER->isSystemMaintainer();
         }
         // Checking if admin-access is required
index ec27817..feca299 100644 (file)
@@ -428,9 +428,12 @@ class BackendUserAuthentication extends AbstractUserAuthentication
             }
             return false;
         }
-        // Returns TRUE if conf[access] is set to system maintainers and the user is system maintainer
-        if (strpos($conf['access'], self::ROLE_SYSTEMMAINTAINER) !== false && $this->isSystemMaintainer()) {
-            return true;
+        // Returns false if conf[access] is set to system maintainers and the user is system maintainer
+        if (strpos($conf['access'], self::ROLE_SYSTEMMAINTAINER) !== false && !$this->isSystemMaintainer()) {
+            if ($exitOnError) {
+                throw new \RuntimeException('This module "' . $conf['name'] . '" is only available as system maintainer', 1504804727);
+            }
+            return false;
         }
         // Returns TRUE if conf[access] is not set at all or if the user is admin
         if (!$conf['access'] || $this->isAdmin()) {