Commit 3f32d00b authored by Helmut Hummel's avatar Helmut Hummel Committed by Christian Kuhn
Browse files

[BUGFIX] Fix system maintainer access

Fix a check to not allow acces to admin users
but system maintainers only.

Change-Id: I2e5209bbaf7c3e3cee013d1fa08f48ff7e776956
Resolves: #82396
Related: #82306
Related: #82395
Releases: master
Reviewed-on: https://review.typo3.org/53965

Tested-by: default avatarTYPO3com <no-reply@typo3.com>
Reviewed-by: Benni Mack's avatarBenni Mack <benni@typo3.org>
Tested-by: Benni Mack's avatarBenni Mack <benni@typo3.org>
Reviewed-by: Anja Leichsenring's avatarAnja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring's avatarAnja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Christian Kuhn's avatarChristian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn's avatarChristian Kuhn <lolli@schwarzbu.ch>
parent aa416f03
......@@ -262,7 +262,7 @@ class ModuleLoader
}
$access = strtolower($MCONF['access']);
// Check if this module is only allowed by system maintainers (= admins who are in the list of system maintainers)
if (strpos($access, BackendUserAuthentication::ROLE_SYSTEMMAINTAINER) !== false) {
if (strpos($MCONF['access'], BackendUserAuthentication::ROLE_SYSTEMMAINTAINER) !== false) {
return $this->BE_USER->isSystemMaintainer();
}
// Checking if admin-access is required
......
......@@ -428,9 +428,12 @@ class BackendUserAuthentication extends AbstractUserAuthentication
}
return false;
}
// Returns TRUE if conf[access] is set to system maintainers and the user is system maintainer
if (strpos($conf['access'], self::ROLE_SYSTEMMAINTAINER) !== false && $this->isSystemMaintainer()) {
return true;
// Returns false if conf[access] is set to system maintainers and the user is system maintainer
if (strpos($conf['access'], self::ROLE_SYSTEMMAINTAINER) !== false && !$this->isSystemMaintainer()) {
if ($exitOnError) {
throw new \RuntimeException('This module "' . $conf['name'] . '" is only available as system maintainer', 1504804727);
}
return false;
}
// Returns TRUE if conf[access] is not set at all or if the user is admin
if (!$conf['access'] || $this->isAdmin()) {
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment