From cc8faadf9f0f551cf8d517f8f3c8481e97140229 Mon Sep 17 00:00:00 2001 From: Torben Hansen Date: Sat, 1 Apr 2023 06:44:50 +0200 Subject: [PATCH] [TASK] Respect usePasswordPolicyForFrontendUsers in TCA type=password The feature toggle `security.usePasswordPolicyForFrontendUsers` introduced in #97390 was added to allow TYPO3 administrators to still use the deprecated TypoScript validators in ext:felogin for the password reset process. In order to have a consistent setup, the feature toggle must also be respected for frontend users in DataHandler and FormEngine, so it is possible to set any password, if the feature is turned off. With this patch, a possible configured password policy for frontend context (fe_users table) is ignored, if `security.usePasswordPolicyForFrontendUsers` is set to `false`. Resolves: #100300 Releases: main Signed-off-by: Torben Hansen Change-Id: I47f5284202b46d8e621adadb16fe6396afaea31c Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/78346 Tested-by: core-ci Tested-by: Oliver Bartsch Reviewed-by: Oliver Bartsch Reviewed-by: Benni Mack Tested-by: Benni Mack --- .../backend/Classes/Form/Element/PasswordElement.php | 8 ++++++++ typo3/sysext/core/Classes/DataHandling/DataHandler.php | 8 ++++++++ 2 files changed, 16 insertions(+) diff --git a/typo3/sysext/backend/Classes/Form/Element/PasswordElement.php b/typo3/sysext/backend/Classes/Form/Element/PasswordElement.php index 360e7e850c47..512f8ea54f21 100644 --- a/typo3/sysext/backend/Classes/Form/Element/PasswordElement.php +++ b/typo3/sysext/backend/Classes/Form/Element/PasswordElement.php @@ -17,6 +17,7 @@ namespace TYPO3\CMS\Backend\Form\Element; +use TYPO3\CMS\Core\Configuration\Features; use TYPO3\CMS\Core\Page\JavaScriptModuleInstruction; use TYPO3\CMS\Core\PasswordPolicy\PasswordPolicyAction; use TYPO3\CMS\Core\PasswordPolicy\PasswordPolicyValidator; @@ -60,6 +61,13 @@ public function render() ); $passwordPolicy = $config['passwordPolicy'] ?? null; + + // Ignore password policy for frontend users, if "security.usePasswordPolicyForFrontendUsers" is disabled + $features = GeneralUtility::makeInstance(Features::class); + if ($table === 'fe_users' && !$features->isFeatureEnabled('security.usePasswordPolicyForFrontendUsers')) { + $passwordPolicy = null; + } + if ($passwordPolicy) { // We always use PasswordPolicyAction::NEW_USER_PASSWORD here, since the password is not set by the user, // but either by an admin or an editor diff --git a/typo3/sysext/core/Classes/DataHandling/DataHandler.php b/typo3/sysext/core/Classes/DataHandling/DataHandler.php index 50e29b074c0f..dfaa021aea67 100644 --- a/typo3/sysext/core/Classes/DataHandling/DataHandler.php +++ b/typo3/sysext/core/Classes/DataHandling/DataHandler.php @@ -27,6 +27,7 @@ use TYPO3\CMS\Core\Authentication\BackendUserAuthentication; use TYPO3\CMS\Core\Cache\CacheManager; use TYPO3\CMS\Core\Cache\Frontend\FrontendInterface; +use TYPO3\CMS\Core\Configuration\Features; use TYPO3\CMS\Core\Configuration\FlexForm\Exception\InvalidIdentifierException; use TYPO3\CMS\Core\Configuration\FlexForm\Exception\InvalidParentRowException; use TYPO3\CMS\Core\Configuration\FlexForm\Exception\InvalidParentRowLoopException; @@ -1864,6 +1865,13 @@ protected function checkValueForPassword( // We got no salted password instance, incoming value must be a new plaintext password // Validate new password against password policy for field $passwordPolicy = $tcaFieldConf['passwordPolicy'] ?? ''; + + // Ignore password policy for frontend users, if "security.usePasswordPolicyForFrontendUsers" is disabled + $features = GeneralUtility::makeInstance(Features::class); + if ($table === 'fe_users' && !$features->isFeatureEnabled('security.usePasswordPolicyForFrontendUsers')) { + $passwordPolicy = ''; + } + $passwordPolicyValidator = GeneralUtility::makeInstance( PasswordPolicyValidator::class, PasswordPolicyAction::NEW_USER_PASSWORD,