-
To prepare towards a deployable backend group access rights system, some of the more obscure options are removed to reduce overall complexity. * TYPO3_CONF_VARS['BE']['explicitADmode'] is finally gone: Following a deny list approach is a flawed security system. TYPO3's default setting (explicitADmode=allow) follows the very common "Least Privileged" principle, so editors need to be explicitly given access to a CType, as is done with all other permissions. * The only valid value for TCA config option "authMode" on type="select" fields is now "explicitAllow". The previous "explicitDeny" value is abandoned following the reasoning above. The value "individual" is abandoned since it is a very rarely used setting (not a single match in TER). * With authMode="individual" being gone, the select item array keys on position six that could be set to "EXPL_DENY" and "EXPL_ALLOW" are obsolete. * Field "explicit_allowdeny" in table be_groups is simplified. This was a comma separated list of colon separated: "table:field:value:ALLOW/DENY". The last "ALLOW" or "DENY" is now obsolete. The patch removes the above handling from the core. A TCA migration scans TCA for invalid options and adapts them. An upgrade wizard is in place to clean up the be_groups explicit_allowdeny field of existing rows. Resolves: #97265 Releases: main Change-Id: I545b08fc694e9081ad79e69e7f55f684316e7b0f Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74126 Tested-by:
core-ci <typo3@b13.com> Tested-by:
Oliver Bartsch <bo@cedev.de> Tested-by:
Stefan Bürk <stefan@buerk.tech> Tested-by:
Benni Mack <benni@typo3.org> Reviewed-by:
2f0338a9
