Skip to content

UnauthorizedException when trying to delete own profile image #667

New issue
New issue
Closed
Bug
Closed
UnauthorizedException when trying to delete own profile image#667
Bug
Labels
status: resolved
Milestone
13.2
@ps-devstudio

Description

@ps-devstudio
ps-devstudio
opened on Oct 9, 2025

TYPO3 Version: 12.4.x
femanager Version: 8.3.x
PHP Version: 8.2

Current behavior

When a logged-in frontend user tries to delete their own profile image via
the UserController::imageDeleteAction(),
the following error occurs:

TYPO3\CMS\Core\Error\Http\UnauthorizedException
Code: #1516373759972
Message: You are not allowed to delete this image
File: /vendor/in2code/femanager/Classes/Controller/UserController.php:57

This happens although the user is deleting their own image, not another user’s.

Root cause

In the current implementation in

femanager/Classes/Controller/UserController.php

Line 56 in 16ac98a

if (UserUtility::getCurrentUser() !== $user) { 

if (UserUtility::getCurrentUser() !== $user) {
    throw new UnauthorizedException('You are not allowed to delete this image', 1516373759972);
}

the comparison uses the strict !== operator between two different object instances of the same user (same UID but different in-memory object references).
This always fails, even when both represent the same frontend user.

Expected behavior

A logged-in user should be able to delete their own profile image without triggering an exception.

Recommended fix (Frontend-friendly)

Instead of throwing an exception (which breaks the frontend and shows a 403 page),
display a localized flash message and redirect the user back gracefully.

$currentUser = UserUtility::getCurrentUser();
if (
    !$currentUser
    || $currentUser->getUid() !== $user->getUid()
) {
    $this->addFlashMessage(
        LocalizationUtility::translate('error_not_authorized') ?? 'You are not allowed to delete this image',
        '',
        \TYPO3\CMS\Core\Type\ContextualFeedbackSeverity::ERROR
    );
    return $this->redirectToUri(FrontendUtility::getUriToCurrentPage());
}

Advantages:

User-friendly (no hard 403 page, just a flash message)
Keeps the frontend stable and consistent
Secure (UID check prevents unauthorized deletions)
Consistent with other femanager UX behavior

Alternative (strict API-style)

If strict HTTP status handling is preferred (e.g., for AJAX or API contexts),
the simpler UID-based comparison could also be used:

if ((int)UserUtility::getCurrentUser()->getUid() !== (int)$user->getUid()) {
    throw new UnauthorizedException('You are not allowed to delete this image', 1516373759972);
}

However, this is less suitable for frontend plugins,
as it breaks the flow and displays a raw error page.

Tested and verified

TYPO3 12.4.37
femanager 8.3.2
PHP 8.2

Metadata

Metadata

Assignees

No one assigned

    Labels

    status: resolved

    Type

    Bug

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions