[BUGFIX] Allow to visit pages if editor has no access

bmack · bmack · commit 0beac3da0805 · 2025-03-27T13:37:14.000+01:00
When an editor (non-admin) is logged in in the backend, and is logged into the frontend with a usergroup as well, the user is not allowed to view to a access-restricted page for which the BE admin has no access - even though the frontend is accessible with the regular fe permission rights of the FE usergroup in the session. This happens because the Preview simulation takes place in the Frontend (PreviewSimulator middleware) first, then evaluates that a preview should be shown (due to a ADMCMD_simUser=1 for example), and then checks - once the page is resolved - if the BE editor has access to the page - because he/she is logged in. In this case, when a BE editor is logged in and has no permission to actually see the page due to BE restrictions, it is ADDITIONALLY checked now if the record can be previewed with the current Context information via the AccessVoter. Resolves: #101589 Resolves: #105567 Resolves: #105866 Related: #97176 Releases: main, 13.4, 12.4 Change-Id: Ic78792eb6892e9af1ac4632ca777f3210ee34d2d Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/88762 Reviewed-by: Benni Mack <benni@typo3.org> Tested-by: Georg Ringer <georg.ringer@gmail.com> Reviewed-by: Georg Ringer <georg.ringer@gmail.com> Tested-by: Benni Mack <benni@typo3.org> Reviewed-by: Andreas Kienast <akienast@scripting-base.de> Tested-by: Andreas Kienast <akienast@scripting-base.de> Tested-by: core-ci <typo3@b13.com>
diff --git a/typo3/sysext/frontend/Classes/Page/PageInformationFactory.php b/typo3/sysext/frontend/Classes/Page/PageInformationFactory.php
@@ -530,9 +530,17 @@ protected function checkCrossDomainWithDirectId(ServerRequestInterface $request,
      */
     protected function checkBackendUserAccess(ServerRequestInterface $request, PageInformation $pageInformation): void
     {
-        if ($this->context->getPropertyFromAspect('backend.user', 'isLoggedIn', false)
-            && $this->context->getPropertyFromAspect('frontend.preview', 'isPreview', false)
-            && !$GLOBALS['BE_USER']->doesUserHaveAccess($pageInformation->getPageRecord(), Permission::PAGE_SHOW)
+        // No backend user was logged in, nothing to check
+        if (!$this->context->getPropertyFromAspect('backend.user', 'isLoggedIn', false)) {
+            return;
+        }
+        // PreviewSimulator did not detect anything
+        if (!$this->context->getPropertyFromAspect('frontend.preview', 'isPreview', false)) {
+            return;
+        }
+        // Editor has no show permission for this page PLUS regular user is not allowed to see the page? 403.
+        if (!$GLOBALS['BE_USER']->doesUserHaveAccess($pageInformation->getPageRecord(), Permission::PAGE_SHOW)
+            && !$this->accessVoter->accessGranted('pages', $pageInformation->getPageRecord(), $this->context)
         ) {
             $response = $this->errorController->accessDeniedAction(
                 $request,
