[BUGFIX] Properly set user to admin in setup module

SetupModuleController serves as a backdoor so regular users without permission to manipulate be_users records can still edit their profile. For this to work, the access check needs to be bypassed for this particular record by DataHandler. The start() method of DataHandler prepares e.g. exclude fields to be checked. With current code, incoming user is not yet set to admin, so exclude field checking may fail, especially if 3rd party extensions manipulate this. The patch hands a temporary user with activated admin flag to DataHandler, so it can bypass the access check for profile editing. Resolves: #92097 Related: #85196 Releases: master, 10.4 Change-Id: I0696f81bbccc7932f8c03eec9452dade9423c074 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/65451 Tested-by: TYPO3com <noreply@typo3.com> Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de> Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de> Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de> Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
TYPO3 · Aug 26, 2020 · 585c7fa · 585c7fa
1 parent c29f21e
commit 585c7fa
Showing 1 changed file with 8 additions and 3 deletions.
diff --git a/typo3/sysext/setup/Classes/Controller/SetupModuleController.php b/typo3/sysext/setup/Classes/Controller/SetupModuleController.php
@@ -316,13 +316,18 @@ protected function storeIncomingData(array $postData)
             }
             // Persist data if something has changed:
             if (!empty($storeRec) && $this->saveData) {
-                // Make instance of TCE for storing the changes.
+                // Set user to admin to circumvent DataHandler restrictions.
+                // Not using isAdmin() to fetch the original value, just in case it has been boolean casted.
+                $savedUserAdminState = $backendUser->user['admin'];
+                $backendUser->user['admin'] = true;
+                // Make dedicated instance of TCE for storing the changes.
                 $dataHandler = GeneralUtility::makeInstance(DataHandler::class);
-                $dataHandler->start($storeRec, []);
-                $dataHandler->admin = true;
+                $dataHandler->start($storeRec, [], $backendUser);
                 // This is to make sure that the users record can be updated even if in another workspace. This is tolerated.
                 $dataHandler->bypassWorkspaceRestrictions = true;
                 $dataHandler->process_datamap();
+                // reset the user record admin flag to previous value, just in case it gets used any further.
+                $backendUser->user['admin'] = $savedUserAdminState;
                 if ($this->passwordIsUpdated === self::PASSWORD_NOT_UPDATED || count($storeRec['be_users'][$beUserId]) > 1) {
                     $this->setupIsUpdated = true;
                 }