Commit 3d4d9d01 authored by Georg Ringer's avatar Georg Ringer Committed by Benni Mack
Browse files

[BUGFIX] Proper checks for system maintainers

Always use the original user id and never use a fallback to a user id
switched to.

The BackendUserAuthentication->isSystemMaintainer() method now always
returns false if a user is in "switch user" mode.

Resolves: #83041
Releases: master
Change-Id: I25fc15bb9f2ed19ae5080fbe039154be1c1a521f
Reviewed-on: https://review.typo3.org/54941


Reviewed-by: Andreas Fernandez's avatarAndreas Fernandez <typo3@scripting-base.de>
Tested-by: Andreas Fernandez's avatarAndreas Fernandez <typo3@scripting-base.de>
Tested-by: default avatarTYPO3com <no-reply@typo3.com>
Reviewed-by: Markus Klein's avatarMarkus Klein <markus.klein@typo3.org>
Reviewed-by: Benni Mack's avatarBenni Mack <benni@typo3.org>
Tested-by: Benni Mack's avatarBenni Mack <benni@typo3.org>
parent 1e5624e2
......@@ -452,21 +452,24 @@ class BackendUserAuthentication extends AbstractUserAuthentication
}
/**
* Checks if the user is in the valid list of allowed system maintainers, if the list is not set.
* Checks if the user is in the valid list of allowed system maintainers. if the list is not set,
* then all admins are system maintainers. If the list is empty, no one is system maintainer (good for production
* systems)
* systems). If the currently logged in user is in "switch user" mode, this method will return false.
*
* @return bool
*/
public function isSystemMaintainer(): bool
{
if ((int)$GLOBALS['BE_USER']->user['ses_backuserid'] !== 0) {
return false;
}
if (GeneralUtility::getApplicationContext()->isDevelopment() && $this->isAdmin()) {
return true;
}
$systemMaintainers = $GLOBALS['TYPO3_CONF_VARS']['SYS']['systemMaintainers'] ?? [];
$systemMaintainers = array_map('intval', $systemMaintainers);
if (!empty($systemMaintainers)) {
return in_array($this->getRealUserId(), $systemMaintainers, true);
return in_array((int)$this->user['uid'], $systemMaintainers, true);
}
// No system maintainers set up yet, so any admin is allowed to access the modules
// but explicitly no system maintainers allowed (empty string in TYPO3_CONF_VARS).
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment