Commit 11716119 authored by Benni Mack's avatar Benni Mack Committed by Christian Kuhn
Browse files

[FEATURE] Only allow access to install tool for system maintainers

A new option $GLOBALS['TYPO3_CONF_VARS']['SYS']['systemMaintainers']
is introduced, which contains a list of Backend User uids. It is
then possible to restrict access to backend modules to system
maintainers - most importantly the four Install Tool modules.

When this option is not set in LocalConfiguration.php, then all
admins are system maintainers, same goes for accessing TYPO3
in Development context.

This is the first step to remove the necessary "enter your
intall tool password" when accessing the install tool from
within TYPO3 Backend.

Resolves: #82266
Releases: master
Change-Id: If0026748ede694394b4e7f39788a650816160146
Reviewed-on: https://review.typo3.org/53830


Reviewed-by: Christian Kuhn's avatarChristian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn's avatarChristian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Susanne Moog's avatarSusanne Moog <susanne.moog@typo3.org>
Tested-by: Susanne Moog's avatarSusanne Moog <susanne.moog@typo3.org>
Tested-by: default avatarTYPO3com <no-reply@typo3.com>
parent 8b4cb2ea
......@@ -261,6 +261,10 @@ class ModuleLoader
return true;
}
$access = strtolower($MCONF['access']);
// Check if this module is only allowed by system maintainers (= admins who are in the list of system maintainers)
if (strpos($access, BackendUserAuthentication::ROLE_SYSTEMMAINTAINER) !== false) {
return $this->BE_USER->isSystemMaintainer();
}
// Checking if admin-access is required
// If admin-permissions is required then return TRUE if user is admin
if (strpos($access, 'admin') !== false && $this->BE_USER->isAdmin()) {
......
......@@ -38,6 +38,8 @@ use TYPO3\CMS\Core\Utility\GeneralUtility;
*/
class BackendUserAuthentication extends AbstractUserAuthentication
{
const ROLE_SYSTEMMAINTAINER = 'systemMaintainer';
/**
* Should be set to the usergroup-column (id-list) in the user-record
* @var string
......@@ -426,6 +428,10 @@ class BackendUserAuthentication extends AbstractUserAuthentication
}
return false;
}
// Returns TRUE if conf[access] is set to system maintainers and the user is system maintainer
if (strpos($conf['access'], self::ROLE_SYSTEMMAINTAINER) !== false && $this->isSystemMaintainer()) {
return true;
}
// Returns TRUE if conf[access] is not set at all or if the user is admin
if (!$conf['access'] || $this->isAdmin()) {
return true;
......@@ -441,6 +447,32 @@ class BackendUserAuthentication extends AbstractUserAuthentication
return $acs;
}
/**
* Checks if the user is in the valid list of allowed system maintainers, if the list is not set.
* then all admins are system maintainers. If the list is empty, no one is system maintainer (good for production
* systems)
*
* @return bool
*/
public function isSystemMaintainer(): bool
{
if (GeneralUtility::getApplicationContext()->isDevelopment() && $this->isAdmin()) {
return true;
}
$allowedAdmins = $GLOBALS['TYPO3_CONF_VARS']['SYS']['systemMaintainers'] ?? [];
if (!empty($allowedAdmins)) {
return in_array((int)$this->user['uid'], $allowedAdmins, true);
}
// No system maintainers set up yet, so any admin is allowed to access the modules
// but explicitly no system maintainers allowed (empty string in TYPO3_CONF_VARS).
// @todo: this needs to be adjusted once system maintainers can log into the install tool with their credentials
if (isset($GLOBALS['TYPO3_CONF_VARS']['SYS']['systemMaintainers'])
&& empty($GLOBALS['TYPO3_CONF_VARS']['SYS']['systemMaintainers'])) {
return false;
}
return $this->isAdmin();
}
/**
* Returns a WHERE-clause for the pages-table where user permissions according to input argument, $perms, is validated.
* $perms is the "mask" used to select. Fx. if $perms is 1 then you'll get all pages that a user can actually see!
......
......@@ -98,6 +98,7 @@ return [
'enableDeprecationLog' => '',
'UTF8filesystem' => false,
'systemLocale' => '',
'systemMaintainers' => null, // @todo: This will be set up as an empty array once the installer can define a system maintainers
'reverseProxyIP' => '',
'reverseProxyHeaderMultiValue' => 'none',
'reverseProxyPrefix' => '',
......
......@@ -84,6 +84,7 @@ return [
'generateApacheHtaccess' => 'Boolean: TYPO3 can create <em>.htaccess</em> files which are used by Apache Webserver. They are useful for access protection or performance improvements. Currently <em>.htaccess</em> files in the following directories are created, if they do not exist: <ul><li>typo3temp/compressor/</li></ul>You want to disable this feature, if you are not running Apache or want to use own rulesets.',
'isInitialInstallationInProgress' => 'Boolean: If TRUE, the installation is \'in progress\'. This value is handled within the install tool step installer internally.',
'isInitialDatabaseImportDone' => 'Boolean: If TRUE, the database import is finished. This value is handled within the install tool step installer internally.',
'systemMaintainers' => 'Array: A list of backend user IDs allowed to access the Install Tool',
],
'EXT' => [ // Options related to the Extension Management
'allowGlobalInstall' => 'Boolean: If set, global extensions in typo3/ext/ are allowed to be installed, updated and deleted etc.',
......
.. include:: ../../Includes.txt
==================================================
Feature: #82266 - Backend Users System Maintainers
==================================================
See :issue:`82266`
Description
===========
A new role for Backend Users is introduced - System Maintainers. These maintainers ("super admins")
are able to access the install tool modules from within the TYPO3 Backend, thus, the only place
to modify the system-wide configuration located in :php:``$TYPO3_CONF_VARS``, respectively
LocalConfiguration.php.
The list of allowed admins that are assigned as system maintainers can only be done within the TYPO3
Install Tool or by modifying the new configuration option :php:``TYPO3_CONF_VARS[SYS][systemMaintainers]``.
If no system maintainer is set up, then all administrators are assigned the system maintainer role.
In Development context, all administrators are system maintainers as well.
Impact
======
It is now possible to only allow access the install tool from within the TYPO3 Backend for certain
Backend Users.
Registering Backend Modules can now be restricted to "systemMaintainer" access, so they are only
shown for selected administrators.
.. index:: Backend, LocalConfiguration
......@@ -23,7 +23,7 @@ if (TYPO3_MODE === 'BE') {
'action' => 'maintenance'
]
],
'access' => 'admin',
'access' => 'systemMaintainer',
'name' => 'tools_toolsmaintenance',
'iconIdentifier' => 'module-install-maintenance',
'labels' => 'LLL:EXT:install/Resources/Private/Language/ModuleInstallMaintenance.xlf'
......@@ -41,7 +41,7 @@ if (TYPO3_MODE === 'BE') {
'action' => 'settings'
]
],
'access' => 'admin',
'access' => 'systemMaintainer',
'name' => 'tools_toolssettings',
'iconIdentifier' => 'module-install-settings',
'labels' => 'LLL:EXT:install/Resources/Private/Language/ModuleInstallSettings.xlf'
......@@ -59,7 +59,7 @@ if (TYPO3_MODE === 'BE') {
'action' => 'upgrade'
]
],
'access' => 'admin',
'access' => 'systemMaintainer',
'name' => 'tools_toolsupgrade',
'iconIdentifier' => 'module-install-upgrade',
'labels' => 'LLL:EXT:install/Resources/Private/Language/ModuleInstallUpgrade.xlf'
......@@ -77,7 +77,7 @@ if (TYPO3_MODE === 'BE') {
'action' => 'environment'
]
],
'access' => 'admin',
'access' => 'systemMaintainer',
'name' => 'tools_toolsenvironment',
'iconIdentifier' => 'module-install-environment',
'labels' => 'LLL:EXT:install/Resources/Private/Language/ModuleInstallEnvironment.xlf'
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment