Commit 997b1c10 authored by Mona Muzaffar's avatar Mona Muzaffar Committed by Morton Jonuschat
Browse files

[BUGFIX] Disable install tool access in switch user mode

During switch user mode the install tool modules are never visible.

Resolves: #82517
Releases: master
Change-Id: Ie367cb7f0208a7414ada38d40f8cdd3ab287da52
Reviewed-on: https://review.typo3.org/54181


Tested-by: default avatarTYPO3com <no-reply@typo3.com>
Reviewed-by: default avatarJan Stockfisch <jan.stockfisch@googlemail.com>
Tested-by: default avatarJan Stockfisch <jan.stockfisch@googlemail.com>
Reviewed-by: default avatarSascha Rademacher <s.rademacher@neusta.de>
Tested-by: default avatarSascha Rademacher <s.rademacher@neusta.de>
Reviewed-by: default avatarMorton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: default avatarMorton Jonuschat <m.jonuschat@mojocode.de>
parent 46cc4bcc
......@@ -462,9 +462,9 @@ class BackendUserAuthentication extends AbstractUserAuthentication
if (GeneralUtility::getApplicationContext()->isDevelopment() && $this->isAdmin()) {
return true;
}
$allowedAdmins = $GLOBALS['TYPO3_CONF_VARS']['SYS']['systemMaintainers'] ?? [];
if (!empty($allowedAdmins)) {
return in_array((int)$this->user['uid'], $allowedAdmins, true);
$systemMaintainers = $GLOBALS['TYPO3_CONF_VARS']['SYS']['systemMaintainers'] ?? [];
if (!empty($systemMaintainers)) {
return in_array($this->getRealUserId(), $systemMaintainers, true);
}
// No system maintainers set up yet, so any admin is allowed to access the modules
// but explicitly no system maintainers allowed (empty string in TYPO3_CONF_VARS).
......@@ -476,6 +476,15 @@ class BackendUserAuthentication extends AbstractUserAuthentication
return $this->isAdmin();
}
/**
* If a user has actually logged in and switched to a different user (admins can use the SU switch user method)
* the real UID is sometimes needed (when checking for permissions for example).
*/
protected function getRealUserId(): int
{
return (int)($GLOBALS['BE_USER']->user['ses_backuserid'] ?: $this->user['uid']);
}
/**
* Returns a WHERE-clause for the pages-table where user permissions according to input argument, $perms, is validated.
* $perms is the "mask" used to select. Fx. if $perms is 1 then you'll get all pages that a user can actually see!
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment