[BUGFIX] Only unlock records in BE user log off functionality 45/58145/5
authorBenni Mack <benni@typo3.org>
Mon, 3 Sep 2018 16:53:04 +0000 (18:53 +0200)
committerMarkus Klein <markus.klein@typo3.org>
Mon, 3 Sep 2018 17:53:04 +0000 (19:53 +0200)
The database table `sys_lockedrecords` should only be cleared via
the BackendUtility when a Backend user is logging off. Currently, this
is also called for Frontend Users, which actually removes everything
from the currently logged-in backend users with the same uid.

As this is very bad code design on many levels (lockRecords for
unlocking, no context for the authentication user object etc), this
should be encapsulated within the BackendUser object directly anyway.

For further abstractions, this could also be a hook or something else,
to be even cleaner.

Resolves: #86113
Releases: master, 8.7
Change-Id: I44d91064edb6ec9ef4c148e48b67bdf22da38869
Reviewed-on: https://review.typo3.org/58145
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php
typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php

index e67da94..f20bf61 100644 (file)
@@ -16,7 +16,6 @@ namespace TYPO3\CMS\Core\Authentication;
 
 use Psr\Log\LoggerAwareInterface;
 use Psr\Log\LoggerAwareTrait;
-use TYPO3\CMS\Backend\Utility\BackendUtility;
 use TYPO3\CMS\Core\Core\Environment;
 use TYPO3\CMS\Core\Crypto\Random;
 use TYPO3\CMS\Core\Database\Connection;
@@ -1018,8 +1017,6 @@ abstract class AbstractUserAuthentication implements LoggerAwareInterface
     public function logoff()
     {
         $this->logger->debug('logoff: ses_id = ' . $this->id);
-        // Release the locked records
-        BackendUtility::lockRecords();
 
         $_params = [];
         foreach ($GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_userauth.php']['logoff_pre_processing'] ?? [] as $_funcRef) {
index 90f8d0b..f82743d 100644 (file)
@@ -2719,7 +2719,25 @@ This is a dump of the failures:
     {
         if (isset($GLOBALS['BE_USER']) && $GLOBALS['BE_USER'] instanceof self && isset($GLOBALS['BE_USER']->user['uid'])) {
             \TYPO3\CMS\Core\FormProtection\FormProtectionFactory::get()->clean();
+            // Release the locked records
+            $this->releaseLockedRecords((int)$GLOBALS['BE_USER']->user['uid']);
         }
         parent::logoff();
     }
+
+    /**
+     * Remove any "locked records" added for editing for the given user (= current backend user)
+     * @param int $userId
+     */
+    protected function releaseLockedRecords(int $userId)
+    {
+        if ($userId > 0) {
+            GeneralUtility::makeInstance(ConnectionPool::class)
+                ->getConnectionForTable('sys_lockedrecords')
+                ->delete(
+                    'sys_lockedrecords',
+                    ['userid' => $userId]
+                );
+        }
+    }
 }