[BUGFIX] Invalid session token on creating content element in admin panel 88/55488/2
authorOliver Hader <oliver@typo3.org>
Mon, 29 Jan 2018 15:29:33 +0000 (16:29 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Mon, 29 Jan 2018 19:35:30 +0000 (20:35 +0100)
When creating a new content element in the frontend using the according
button in the "editing" section of the admin panel, the request to the
TYPO3 backend is rejected due to an invalid XSRF session token:

Validating the security token of this form has failed.
Please reload the form and submit it again.

The reason is, that the URL after issue #70055 looks like the following
"token=<hash>id=<id>" instead of "token=<hash>&id=<id>" - the id became
part of the XSRF session token.

Resolves: #83719
Releases: master, 8.7, 7.6
Change-Id: Ibdd252b2e59d9e8de78bb0be14a95e0789dc0d17
Reviewed-on: https://review.typo3.org/55488
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Alexander Opitz <opitz.alexander@googlemail.com>
Tested-by: Alexander Opitz <opitz.alexander@googlemail.com>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/frontend/Classes/View/AdminPanelView.php

index 529c448..ff11409 100644 (file)
@@ -830,7 +830,6 @@ class AdminPanelView
         $moduleName = $tsConfig['properties']['newContentElementWizard.']['override'] ?? 'new_content_element';
         /** @var \TYPO3\CMS\Backend\Routing\UriBuilder $uriBuilder */
         $uriBuilder = GeneralUtility::makeInstance(\TYPO3\CMS\Backend\Routing\UriBuilder::class);
-        $newContentWizScriptPath = (string)$uriBuilder->buildUriFromRoute($moduleName);
         $perms = $this->getBackendUser()->calcPerms($tsfe->page);
         $langAllowed = $this->getBackendUser()->checkLanguageAccess($tsfe->sys_language_uid);
         $id = $tsfe->id;
@@ -855,11 +854,14 @@ class AdminPanelView
 
         // New Content
         if ($perms & Permission::CONTENT_EDIT && $langAllowed) {
-            $params = '';
-            if ($tsfe->sys_language_uid) {
-                $params = '&sys_language_uid=' . $tsfe->sys_language_uid;
+            $linkParameters = [
+                'id' => $id,
+                'returnUrl' => $returnUrl,
+            ];
+            if (!empty($tsfe->sys_language_uid)) {
+                $linkParameters['sys_language_uid'] = $tsfe->sys_language_uid;
             }
-            $link = $newContentWizScriptPath . 'id=' . $id . $params . '&returnUrl=' . rawurlencode($returnUrl);
+            $link = (string)$uriBuilder->buildUriFromRoute($moduleName, $linkParameters);
             $icon = $this->iconFactory->getIcon('actions-add', Icon::SIZE_SMALL)->render();
             $title = $this->extGetLL('edit_newContentElement');
             $output[] = '<a class="' . $classes . '" href="' . htmlspecialchars($link) . '" title="' . $title . '">';