-
Notifications
You must be signed in to change notification settings - Fork 653
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[DOCS] Document "Restrict export functionality"
Add changelog entry to https://review.typo3.org/c/Packages/TYPO3.CMS/+/74902 - Restrict export functionality to allowed users Resolves: #97771 Releases: main, 11.5, 10.4 Change-Id: I98252b73aa5b14a8cfe5d26559711123e17ced15 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74920 Reviewed-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Chris Müller <typo3@krue.ml> Reviewed-by: Nikita Hovratov <nikita.h@live.de> Tested-by: core-ci <typo3@b13.com> Tested-by: Chris Müller <typo3@krue.ml> Tested-by: Nikita Hovratov <nikita.h@live.de>
- Loading branch information
Showing
3 changed files
with
159 additions
and
0 deletions.
There are no files selected for viewing
53 changes: 53 additions & 0 deletions
53
.../Changelog/10.4.x/Important-94951-RestrictExportFunctionalityToAllowedUsers.rst
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,53 @@ | ||
| .. include:: /Includes.rst.txt | ||
|
|
||
| .. _important-94951-1655368664: | ||
|
|
||
| =================================================================== | ||
| Important: #94951 - Restrict export functionality to allowed users | ||
| =================================================================== | ||
|
|
||
| See :issue:`94951` | ||
|
|
||
| .. important:: | ||
| This change was introduced as part of the | ||
| `TYPO3 11.5.11 and 10.4.29 security release <https://typo3.org/security/advisory/typo3-core-sa-2022-001>`__. | ||
|
|
||
| Description | ||
| =========== | ||
|
|
||
| The export functionality has the following security drawbacks: | ||
|
|
||
| * Export for editors is not limited on field level | ||
| * The :guilabel:`Save to filename` functionality saves to a shared folder, | ||
| which other editors with different access rights may have access to. | ||
|
|
||
| Both issues are not easy to resolve and also the target | ||
| audience for the Import/Export functionality are mainly | ||
| TYPO3 admins. | ||
|
|
||
| Impact | ||
| ====== | ||
|
|
||
| The export functionality is restricted | ||
| to TYPO3 admin users and to users, who explicitly have | ||
| access through the new user TSConfig setting | ||
| :typoscript:`options.impexp.enableExportForNonAdminUser`. | ||
|
|
||
| Affected installations | ||
| ====================== | ||
|
|
||
| Installations with EXT:impexp installed where non-admin users need to use the | ||
| export functionality. | ||
|
|
||
| Migration | ||
| ========= | ||
|
|
||
| If non-admin users should be able to use the export tool, set the | ||
| following user TSconfig: | ||
|
|
||
| .. code-block:: typoscript | ||
| :caption: EXT:my_sitepackage/Configuration/TSconfig/allusers.tsconfig | ||
| options.impexp.enableExportForNonAdminUser = 1 | ||
| .. index:: Backend, TSConfig, NotScanned, ext:impexp |
53 changes: 53 additions & 0 deletions
53
.../Changelog/11.5.x/Important-94951-RestrictExportFunctionalityToAllowedUsers.rst
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,53 @@ | ||
| .. include:: /Includes.rst.txt | ||
|
|
||
| .. _important-94951-1655368665: | ||
|
|
||
| =================================================================== | ||
| Important: #94951 - Restrict export functionality to allowed users | ||
| =================================================================== | ||
|
|
||
| See :issue:`94951` | ||
|
|
||
| .. important:: | ||
| This change was introduced as part of the | ||
| `TYPO3 11.5.11 and 10.4.29 security release <https://typo3.org/security/advisory/typo3-core-sa-2022-001>`__. | ||
|
|
||
| Description | ||
| =========== | ||
|
|
||
| The export functionality has the following security drawbacks: | ||
|
|
||
| * Export for editors is not limited on field level | ||
| * The :guilabel:`Save to filename` functionality saves to a shared folder, | ||
| which other editors with different access rights may have access to. | ||
|
|
||
| Both issues are not easy to resolve and also the target | ||
| audience for the Import/Export functionality are mainly | ||
| TYPO3 admins. | ||
|
|
||
| Impact | ||
| ====== | ||
|
|
||
| The export functionality is restricted | ||
| to TYPO3 admin users and to users, who explicitly have | ||
| access through the new user TSConfig setting | ||
| :typoscript:`options.impexp.enableExportForNonAdminUser`. | ||
|
|
||
| Affected installations | ||
| ====================== | ||
|
|
||
| Installations with EXT:impexp installed where non-admin users need to use the | ||
| export functionality. | ||
|
|
||
| Migration | ||
| ========= | ||
|
|
||
| If non-admin users should be able to use the export tool, set the | ||
| following user TSconfig: | ||
|
|
||
| .. code-block:: typoscript | ||
| :caption: EXT:my_sitepackage/Configuration/TSconfig/allusers.tsconfig | ||
| options.impexp.enableExportForNonAdminUser = 1 | ||
| .. index:: Backend, TSConfig, NotScanned, ext:impexp |
53 changes: 53 additions & 0 deletions
53
...on/Changelog/12.0/Important-94951-RestrictExportFunctionalityToAllowedUsers.rst
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,53 @@ | ||
| .. include:: /Includes.rst.txt | ||
|
|
||
| .. _important-94951-1655368666: | ||
|
|
||
| =================================================================== | ||
| Important: #94951 - Restrict export functionality to allowed users | ||
| =================================================================== | ||
|
|
||
| See :issue:`94951` | ||
|
|
||
| .. important:: | ||
| This change was introduced as part of the | ||
| `TYPO3 11.5.11 and 10.4.29 security release <https://typo3.org/security/advisory/typo3-core-sa-2022-001>`__. | ||
|
|
||
| Description | ||
| =========== | ||
|
|
||
| The export functionality has the following security drawbacks: | ||
|
|
||
| * Export for editors is not limited on field level | ||
| * The :guilabel:`Save to filename` functionality saves to a shared folder, | ||
| which other editors with different access rights may have access to. | ||
|
|
||
| Both issues are not easy to resolve and also the target | ||
| audience for the Import/Export functionality are mainly | ||
| TYPO3 admins. | ||
|
|
||
| Impact | ||
| ====== | ||
|
|
||
| The export functionality is restricted | ||
| to TYPO3 admin users and to users, who explicitly have | ||
| access through the new user TSConfig setting | ||
| :typoscript:`options.impexp.enableExportForNonAdminUser`. | ||
|
|
||
| Affected installations | ||
| ====================== | ||
|
|
||
| Installations with EXT:impexp installed where non-admin users need to use the | ||
| export functionality. | ||
|
|
||
| Migration | ||
| ========= | ||
|
|
||
| If non-admin users should be able to use the export tool, set the | ||
| following user TSconfig: | ||
|
|
||
| .. code-block:: typoscript | ||
| :caption: EXT:my_sitepackage/Configuration/TSconfig/allusers.tsconfig | ||
| options.impexp.enableExportForNonAdminUser = 1 | ||
| .. index:: Backend, TSConfig, NotScanned, ext:impexp |