Commit 5782f4aa authored by Benni Mack's avatar Benni Mack Committed by Christian Kuhn
Browse files

[!!!][TASK] Remove global option "lockBeUserToDBmounts"

The global configuration option, which is always active by
default, restricts ALL non-administrators to be locked in to
their webroots (DB mounts).

Disabling this option would allow any editor to see the whole
page tree, overriding most of the concepts used in TYPO3
Backend and permission handling.

As stated in the description of the option, it is highly
recommended for security reasons to leave this option enabled.

This option is removed to streamline TYPO3's permission handling.

Resolves: #92940
Releases: master
Change-Id: I15f6538bdb34077a99cb8d2db7a21e60492bb923
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66908


Tested-by: Georg Ringer's avatarGeorg Ringer <georg.ringer@gmail.com>
Tested-by: default avatarTYPO3com <noreply@typo3.com>
Tested-by: Christian Kuhn's avatarChristian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Georg Ringer's avatarGeorg Ringer <georg.ringer@gmail.com>
Reviewed-by: Christian Kuhn's avatarChristian Kuhn <lolli@schwarzbu.ch>
parent eba30abf
......@@ -365,8 +365,7 @@ class BackendUserAuthentication extends AbstractUserAuthentication
* The point is that this will add the security that a user can NEVER touch parts outside his mounted
* pages in the page tree. This is otherwise possible if the raw page permissions allows for it.
* So this security check just makes it easier to make safe user configurations.
* If the user is admin OR if this feature is disabled
* (fx. by setting TYPO3_CONF_VARS['BE']['lockBeUserToDBmounts']=0) then it returns "1" right away
* If the user is admin then it returns "1" right away
* Otherwise the function will return the uid of the webmount which was first found in the rootline of the input page $id
*
* @param int|array $idOrRow Page ID or full page record to check
......@@ -377,7 +376,7 @@ class BackendUserAuthentication extends AbstractUserAuthentication
*/
public function isInWebMount($idOrRow, $readPerms = '', $exitOnError = 0)
{
if (!$GLOBALS['TYPO3_CONF_VARS']['BE']['lockBeUserToDBmounts'] || $this->isAdmin()) {
if ($this->isAdmin()) {
return 1;
}
$checkRec = [];
......
......@@ -925,7 +925,7 @@ class QueryGenerator
$queryBuilder->select(...$selectFields)
->from($from_table)
->orderBy('uid');
if (!$backendUserAuthentication->isAdmin() && $GLOBALS['TYPO3_CONF_VARS']['BE']['lockBeUserToDBmounts']) {
if (!$backendUserAuthentication->isAdmin()) {
$webMounts = $backendUserAuthentication->returnWebmounts();
$perms_clause = $backendUserAuthentication->getPagePermsClause(Permission::PAGE_SHOW);
$webMountPageTree = '';
......@@ -1657,7 +1657,7 @@ class QueryGenerator
$queryBuilder->setMaxResults((int)$this->extFieldLists['queryLimit']);
}
if (!$backendUserAuthentication->isAdmin() && $GLOBALS['TYPO3_CONF_VARS']['BE']['lockBeUserToDBmounts']) {
if (!$backendUserAuthentication->isAdmin()) {
$webMounts = $backendUserAuthentication->returnWebmounts();
$perms_clause = $backendUserAuthentication->getPagePermsClause(Permission::PAGE_SHOW);
$webMountPageTree = '';
......
......@@ -1055,7 +1055,7 @@ class QueryView
$queryBuilder->select(...$selectFields)
->from($from_table)
->orderBy('uid');
if (!$this->backendUserAuthentication->isAdmin() && $GLOBALS['TYPO3_CONF_VARS']['BE']['lockBeUserToDBmounts']) {
if (!$this->backendUserAuthentication->isAdmin()) {
$webMounts = $this->backendUserAuthentication->returnWebmounts();
$perms_clause = $this->backendUserAuthentication->getPagePermsClause(Permission::PAGE_SHOW);
$webMountPageTree = '';
......
......@@ -1149,7 +1149,6 @@ return [
'lockIPv6' => 0,
'sessionTimeout' => 28800, // a backend user logged in for 8 hours
'IPmaskList' => '',
'lockBeUserToDBmounts' => true,
'lockSSL' => false,
'lockSSLPort' => 0,
'enabledBeUserIPLock' => true,
......
......@@ -291,9 +291,6 @@ BE:
IPmaskList:
type: list
description: 'Lets you define a list of IP-numbers (with *-wildcards) that are the ONLY ones allowed access to ANY backend activity. On error an error header is sent and the script exits. Works like IP masking for users configurable through TSconfig. See syntax for that (or look up syntax for the function <code>\TYPO3\CMS\Core\Utility\GeneralUtility::cmpIP())</code>'
lockBeUserToDBmounts:
type: bool
description: 'If set, the backend user is allowed to work only within his page-mount. It''s advisable to leave this on because it makes security easy to manage.'
lockSSL:
type: bool
description: 'If set, the backend can only be operated from an SSL-encrypted connection (https). A redirect to the SSL version of a URL will happen when a user tries to access non-https admin-urls'
......
.. include:: ../../Includes.txt
===============================================================
Breaking: #92940 - Global option "lockBeUserToDBmounts" removed
===============================================================
See :issue:`92940`
Description
===========
The system-wide setting :php:`$GLOBALS['TYPO3_CONF_VARS']['BE']['lockBeUserToDBmounts']`
which was active by default, was used to allow any non-administrator to access
all pages in a TYPO3 installation without considering "Web Mounts" / "DB Mounts"
regardless of their permissions.
It was recommended to keep this setting turned on at any time due to several
security reasons.
This setting itself breaks TYPO3's internal permission concept and was never
implemented in all relevant places of TYPO3.
For this reason, the setting and all its usages are removed.
Impact
======
Activating or deactivating this option has no effect anymore as TYPO3 Core API
is working as this option was enabled at any time.
Affected Installations
======================
TYPO3 installations that have this option disabled in their system-wide
configuration in the `LocalConfiguration.php` file.
Migration
=========
None, as this feature was removed for security purposes, re-adding this feature
is not recommended.
All usages in custom TYPO3 extensions can be removed.
.. index:: Backend, LocalConfiguration, FullyScanned, ext:core
......@@ -51,7 +51,6 @@ class BackendUserAuthenticationTest extends FunctionalTestCase
*/
protected function setUp(): void
{
$GLOBALS['TYPO3_CONF_VARS']['BE']['lockBeUserToDBmounts'] = 1;
$GLOBALS['TYPO3_CONF_VARS']['BE']['cookieName'] = 'be_typo_user';
$GLOBALS['TYPO3_CONF_VARS']['BE']['warning_email_addr'] = '';
$GLOBALS['TYPO3_CONF_VARS']['BE']['lockIP'] = 4;
......
......@@ -159,6 +159,8 @@ class SilentConfigurationUpgradeService
'FE/IPmaskMountGroups',
// #87301
'SYS/cookieSecure',
// #92940
'BE/lockBeUserToDBmounts',
];
public function __construct(ConfigurationManager $configurationManager)
......
......@@ -455,4 +455,9 @@ return [
'Deprecation-92062-MigrateRecordListControllerHooksToAnPSR-14Event.rst',
],
],
'$GLOBALS[\'TYPO3_CONF_VARS\'][\'BE\'][\'lockBeUserToDBmounts\']' => [
'restFiles' => [
'Breaking-92940-GlobalOptionLockBeUserToDBmountsRemoved.rst',
],
],
];
......@@ -1261,7 +1261,7 @@ class QueryGenerator
$queryBuilder->select(...$selectFields)
->from($from_table)
->orderBy('uid');
if (!$backendUserAuthentication->isAdmin() && $GLOBALS['TYPO3_CONF_VARS']['BE']['lockBeUserToDBmounts']) {
if (!$backendUserAuthentication->isAdmin()) {
$webMounts = $backendUserAuthentication->returnWebmounts();
$perms_clause = $backendUserAuthentication->getPagePermsClause(Permission::PAGE_SHOW);
$webMountPageTree = '';
......@@ -2050,7 +2050,7 @@ class QueryGenerator
$queryBuilder->select(...$selectFields)
->from($from_table)
->orderBy('uid');
if (!$backendUserAuthentication->isAdmin() && $GLOBALS['TYPO3_CONF_VARS']['BE']['lockBeUserToDBmounts']) {
if (!$backendUserAuthentication->isAdmin()) {
$webMounts = $backendUserAuthentication->returnWebmounts();
$perms_clause = $backendUserAuthentication->getPagePermsClause(Permission::PAGE_SHOW);
$webMountPageTree = '';
......@@ -2694,7 +2694,7 @@ class QueryGenerator
$queryBuilder->setMaxResults((int)$this->extFieldLists['queryLimit']);
}
if (!$backendUserAuthentication->isAdmin() && $GLOBALS['TYPO3_CONF_VARS']['BE']['lockBeUserToDBmounts']) {
if (!$backendUserAuthentication->isAdmin()) {
$webMounts = $backendUserAuthentication->returnWebmounts();
$perms_clause = $backendUserAuthentication->getPagePermsClause(Permission::PAGE_SHOW);
$webMountPageTree = '';
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment