[TASK] Respect usePasswordPolicyForFrontendUsers in TCA type=password

The feature toggle `security.usePasswordPolicyForFrontendUsers` introduced in #97390 was added to allow TYPO3 administrators to still use the deprecated TypoScript validators in ext:felogin for the password reset process. In order to have a consistent setup, the feature toggle must also be respected for frontend users in DataHandler and FormEngine, so it is possible to set any password, if the feature is turned off. With this patch, a possible configured password policy for frontend context (fe_users table) is ignored, if `security.usePasswordPolicyForFrontendUsers` is set to `false`. Resolves: #100300 Releases: main Signed-off-by: Torben Hansen <derhansen@gmail.com> Change-Id: I47f5284202b46d8e621adadb16fe6396afaea31c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/78346 Tested-by: core-ci <typo3@b13.com> Tested-by: Oliver Bartsch <bo@cedev.de> Reviewed-by: Oliver Bartsch <bo@cedev.de> Reviewed-by: Benni Mack <benni@typo3.org> Tested-by: Benni Mack <benni@typo3.org>
TYPO3 · Apr 18, 2023 · cc8faad · cc8faad
1 parent f3a4e45
commit cc8faad
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/typo3/sysext/backend/Classes/Form/Element/PasswordElement.php b/typo3/sysext/backend/Classes/Form/Element/PasswordElement.php
@@ -17,6 +17,7 @@
 
 namespace TYPO3\CMS\Backend\Form\Element;
 
+use TYPO3\CMS\Core\Configuration\Features;
 use TYPO3\CMS\Core\Page\JavaScriptModuleInstruction;
 use TYPO3\CMS\Core\PasswordPolicy\PasswordPolicyAction;
 use TYPO3\CMS\Core\PasswordPolicy\PasswordPolicyValidator;
@@ -60,6 +61,13 @@ public function render()
         );
 
         $passwordPolicy = $config['passwordPolicy'] ?? null;
+
+        // Ignore password policy for frontend users, if "security.usePasswordPolicyForFrontendUsers" is disabled
+        $features = GeneralUtility::makeInstance(Features::class);
+        if ($table === 'fe_users' && !$features->isFeatureEnabled('security.usePasswordPolicyForFrontendUsers')) {
+            $passwordPolicy = null;
+        }
+
         if ($passwordPolicy) {
             // We always use PasswordPolicyAction::NEW_USER_PASSWORD here, since the password is not set by the user,
             // but either by an admin or an editor

diff --git a/typo3/sysext/core/Classes/DataHandling/DataHandler.php b/typo3/sysext/core/Classes/DataHandling/DataHandler.php
@@ -27,6 +27,7 @@
 use TYPO3\CMS\Core\Authentication\BackendUserAuthentication;
 use TYPO3\CMS\Core\Cache\CacheManager;
 use TYPO3\CMS\Core\Cache\Frontend\FrontendInterface;
+use TYPO3\CMS\Core\Configuration\Features;
 use TYPO3\CMS\Core\Configuration\FlexForm\Exception\InvalidIdentifierException;
 use TYPO3\CMS\Core\Configuration\FlexForm\Exception\InvalidParentRowException;
 use TYPO3\CMS\Core\Configuration\FlexForm\Exception\InvalidParentRowLoopException;
@@ -1864,6 +1865,13 @@ protected function checkValueForPassword(
             // We got no salted password instance, incoming value must be a new plaintext password
             // Validate new password against password policy for field
             $passwordPolicy = $tcaFieldConf['passwordPolicy'] ?? '';
+
+            // Ignore password policy for frontend users, if "security.usePasswordPolicyForFrontendUsers" is disabled
+            $features = GeneralUtility::makeInstance(Features::class);
+            if ($table === 'fe_users' && !$features->isFeatureEnabled('security.usePasswordPolicyForFrontendUsers')) {
+                $passwordPolicy = '';
+            }
+
             $passwordPolicyValidator = GeneralUtility::makeInstance(
                 PasswordPolicyValidator::class,
                 PasswordPolicyAction::NEW_USER_PASSWORD,