Commit 1a1a6feb authored by Oliver Hader's avatar Oliver Hader Committed by Oliver Hader
Browse files

[BUGFIX] Properly apply system maintainer role to backend admins

The security fix TYPO3-CORE-SA-2022-005 introduced a synchronization
of backend user and admin tool sessions - without considering these
two documented aspects:

+ If no system maintainer is set up, then all administrators are
  assigned the system maintainer role.
+ In Development context, all administrators are system maintainers
  as well.

Resolves: #97768
Releases: main, 11.5, 10.4
Change-Id: I81dbfc5d07a41a4fa254e1fb50210c74f5e6f02c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74910

Tested-by: core-ci's avatarcore-ci <typo3@b13.com>
Tested-by: Thomas Hohn
Tested-by: Rudy Gnodde's avatarRudy Gnodde <rudy@famouswolf.com>
Tested-by: Andreas Fernandez's avatarAndreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: Xavier Perseguers's avatarXavier Perseguers <xavier@typo3.org>
Tested-by: Oliver Hader's avatarOliver Hader <oliver.hader@typo3.org>
Reviewed-by: Thomas Hohn
Reviewed-by: Rudy Gnodde's avatarRudy Gnodde <rudy@famouswolf.com>
Reviewed-by: Markus Klein's avatarMarkus Klein <markus.klein@typo3.org>
Reviewed-by: Andreas Fernandez's avatarAndreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Xavier Perseguers's avatarXavier Perseguers <xavier@typo3.org>
Reviewed-by: Oliver Hader's avatarOliver Hader <oliver.hader@typo3.org>
parent 59238797
......@@ -271,8 +271,12 @@ class SessionService implements SingletonInterface
}
$isAdmin = (($backendUserRecord['admin'] ?? 0) & 1) === 1;
$systemMaintainers = array_map('intval', $GLOBALS['TYPO3_CONF_VARS']['SYS']['systemMaintainers'] ?? []);
// in case no system maintainers are configured, all admin users are considered to be system maintainers
$isSystemMaintainer = empty($systemMaintainers) || in_array((int)$backendUserRecord['uid'], $systemMaintainers, true);
// in development context, all admin users are considered to be system maintainers
$hasDevelopmentContext = Environment::getContext()->isDevelopment();
// stop here, in case the current admin tool session does not belong to a backend user having admin & maintainer privileges
if (!$isAdmin || !in_array((int)$backendUserRecord['uid'], $systemMaintainers, true)) {
if (!$isAdmin || !$hasDevelopmentContext && !$isSystemMaintainer) {
return false;
}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment