From 0e5f856151646abf761397367f6859224580e974 Mon Sep 17 00:00:00 2001
From: Georg Ringer <georg.ringer@gmail.com>
Date: Tue, 18 Jun 2024 21:23:35 +0200
Subject: [PATCH] [BUGFIX] Remove all restrictions in user creation command

Implement what is already commented by removing all restrictions when
comparing given username with all existing usernames. Even the username
of a deleted or disabled user must not be reused.

Resolves: #100729
Releases: main, 12.4
Change-Id: I85c314b2c4f6c8539e344e64371c631f29ab9db0
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/84783
Tested-by: core-ci <typo3@b13.com>
Tested-by: Garvin Hicking <gh@faktor-e.de>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Garvin Hicking <gh@faktor-e.de>
---
 .../Command/CreateBackendUserCommand.php        | 12 +++++++-----
 .../Command/CreateBackendUserCommandTest.php    | 17 +++++++++++++----
 .../Fixtures/Expected/be_users_after_admin.csv  |  6 ++++--
 .../Fixtures/Expected/be_users_after_maint.csv  |  6 ++++--
 .../Fixtures/Expected/be_users_after_normal.csv |  6 ++++--
 .../be_users_create_backend_command.csv         |  6 ++++++
 6 files changed, 38 insertions(+), 15 deletions(-)
 create mode 100644 typo3/sysext/backend/Tests/Functional/Fixtures/be_users_create_backend_command.csv

diff --git a/typo3/sysext/backend/Classes/Command/CreateBackendUserCommand.php b/typo3/sysext/backend/Classes/Command/CreateBackendUserCommand.php
index 55a855097b6a..238b14b11f77 100644
--- a/typo3/sysext/backend/Classes/Command/CreateBackendUserCommand.php
+++ b/typo3/sysext/backend/Classes/Command/CreateBackendUserCommand.php
@@ -145,11 +145,13 @@ EOT
     {
         // Taking deleted users into account as we want the username to be unique.
         // So in case a user was deleted and will be restored, this could cause duplicated usernames.
-        $queryBuilder = $this->connectionPool->getConnectionForTable('be_users');
-        $userList = $queryBuilder->select(['username'], 'be_users')->fetchAllAssociative();
-        $usernames = array_map(static function (array $user): string {
-            return $user['username'];
-        }, $userList);
+        $queryBuilder = $this->connectionPool->getQueryBuilderForTable('be_users');
+        $queryBuilder->getRestrictions()->removeAll();
+        $usernames = $queryBuilder
+            ->select('username')
+            ->from('be_users')
+            ->executeQuery()
+            ->fetchFirstColumn();
 
         $usernameValidator = static function ($username) use ($usernames) {
             if (empty($username)) {
diff --git a/typo3/sysext/backend/Tests/Functional/Command/CreateBackendUserCommandTest.php b/typo3/sysext/backend/Tests/Functional/Command/CreateBackendUserCommandTest.php
index b851194cc039..351b1a2d2f8c 100644
--- a/typo3/sysext/backend/Tests/Functional/Command/CreateBackendUserCommandTest.php
+++ b/typo3/sysext/backend/Tests/Functional/Command/CreateBackendUserCommandTest.php
@@ -17,6 +17,7 @@ declare(strict_types=1);
 
 namespace TYPO3\CMS\Backend\Tests\Functional\Command;
 
+use PHPUnit\Framework\Attributes\DataProvider;
 use PHPUnit\Framework\Attributes\Test;
 use TYPO3\CMS\Core\Tests\Functional\Command\AbstractCommandTestCase;
 
@@ -41,7 +42,7 @@ final class CreateBackendUserCommandTest extends AbstractCommandTestCase
     {
         parent::setUp();
         $this->importCSVDataSet(__DIR__ . '/Fixtures/be_groups_multiple.csv');
-        $this->importCSVDataSet(__DIR__ . '/../Fixtures/be_users.csv');
+        $this->importCSVDataSet(__DIR__ . '/../Fixtures/be_users_create_backend_command.csv');
     }
 
     #[Test]
@@ -145,16 +146,24 @@ final class CreateBackendUserCommandTest extends AbstractCommandTestCase
         self::assertEquals(255, $result['status']);
     }
 
+    public static function existingUsernameFailsDataProvider(): \Generator
+    {
+        yield 'existing admin' => ['username' => 'admin'];
+        yield 'disabled admin' => ['username' => 'admin_disabled'];
+        yield 'deleted editor' => ['username' => 'editor_deleted'];
+    }
+
     #[Test]
-    public function existingUsernameFails(): void
+    #[DataProvider('existingUsernameFailsDataProvider')]
+    public function existingUsernameFails(string $username): void
     {
         $result = $this->executeConsoleCommand(
             'backend:user:create --username %s --password %s --no-interaction',
-            '--username=admin',
+            $username,
             $this->userDefaults['password'],
         );
 
-        self::assertEquals(1, $result['status']);
+        self::assertEquals(255, $result['status']);
     }
 
     #[Test]
diff --git a/typo3/sysext/backend/Tests/Functional/Command/Fixtures/Expected/be_users_after_admin.csv b/typo3/sysext/backend/Tests/Functional/Command/Fixtures/Expected/be_users_after_admin.csv
index b8d5a92f5bd8..d8edf092ae21 100644
--- a/typo3/sysext/backend/Tests/Functional/Command/Fixtures/Expected/be_users_after_admin.csv
+++ b/typo3/sysext/backend/Tests/Functional/Command/Fixtures/Expected/be_users_after_admin.csv
@@ -1,8 +1,10 @@
 "be_users",,,,,,,
 ,"uid","pid","username","usergroup","deleted","admin","options","disable","email"
 ,1,0,"admin",,0,1,0,0,""
-,2,0,"_cli_","",0,1,3,0,""
-,3,0,"picard","",0,1,3,0,"starcommand@example.com"
+,2,0,"editor_deleted",,1,0,0,0,""
+,3,0,"admin_disabled",,0,1,0,1,""
+,4,0,"_cli_","",0,1,3,0,""
+,5,0,"picard","",0,1,3,0,"starcommand@example.com"
 be_groups,,,,,,,,
 ,uid,pid,title,deleted,db_mountpoints,tables_select,tables_modify,non_exclude_fields
 ,4,0,editors,0,1,"pages,tt_content","pages,tt_content","pages:title,pages:TSconfig,tt_content:header,tt_content:CType,tt_content:bodytext"
diff --git a/typo3/sysext/backend/Tests/Functional/Command/Fixtures/Expected/be_users_after_maint.csv b/typo3/sysext/backend/Tests/Functional/Command/Fixtures/Expected/be_users_after_maint.csv
index b8d5a92f5bd8..d8edf092ae21 100644
--- a/typo3/sysext/backend/Tests/Functional/Command/Fixtures/Expected/be_users_after_maint.csv
+++ b/typo3/sysext/backend/Tests/Functional/Command/Fixtures/Expected/be_users_after_maint.csv
@@ -1,8 +1,10 @@
 "be_users",,,,,,,
 ,"uid","pid","username","usergroup","deleted","admin","options","disable","email"
 ,1,0,"admin",,0,1,0,0,""
-,2,0,"_cli_","",0,1,3,0,""
-,3,0,"picard","",0,1,3,0,"starcommand@example.com"
+,2,0,"editor_deleted",,1,0,0,0,""
+,3,0,"admin_disabled",,0,1,0,1,""
+,4,0,"_cli_","",0,1,3,0,""
+,5,0,"picard","",0,1,3,0,"starcommand@example.com"
 be_groups,,,,,,,,
 ,uid,pid,title,deleted,db_mountpoints,tables_select,tables_modify,non_exclude_fields
 ,4,0,editors,0,1,"pages,tt_content","pages,tt_content","pages:title,pages:TSconfig,tt_content:header,tt_content:CType,tt_content:bodytext"
diff --git a/typo3/sysext/backend/Tests/Functional/Command/Fixtures/Expected/be_users_after_normal.csv b/typo3/sysext/backend/Tests/Functional/Command/Fixtures/Expected/be_users_after_normal.csv
index f484b3b64af0..723b27cfe648 100644
--- a/typo3/sysext/backend/Tests/Functional/Command/Fixtures/Expected/be_users_after_normal.csv
+++ b/typo3/sysext/backend/Tests/Functional/Command/Fixtures/Expected/be_users_after_normal.csv
@@ -1,8 +1,10 @@
 "be_users",,,,,,,
 ,"uid","pid","username","usergroup","deleted","admin","options","disable","email"
 ,1,0,"admin",,0,1,0,0,""
-,2,0,"_cli_","",0,1,3,0,""
-,3,0,"picard","4,8,16",0,0,3,0,"starcommand@example.com"
+,2,0,"editor_deleted",,1,0,0,0,""
+,3,0,"admin_disabled",,0,1,0,1,""
+,4,0,"_cli_","",0,1,3,0,""
+,5,0,"picard","4,8,16",0,0,3,0,"starcommand@example.com"
 be_groups,,,,,,,,
 ,uid,pid,title,deleted,db_mountpoints,tables_select,tables_modify,non_exclude_fields
 ,4,0,editors,0,1,"pages,tt_content","pages,tt_content","pages:title,pages:TSconfig,tt_content:header,tt_content:CType,tt_content:bodytext"
diff --git a/typo3/sysext/backend/Tests/Functional/Fixtures/be_users_create_backend_command.csv b/typo3/sysext/backend/Tests/Functional/Fixtures/be_users_create_backend_command.csv
new file mode 100644
index 000000000000..f55210323321
--- /dev/null
+++ b/typo3/sysext/backend/Tests/Functional/Fixtures/be_users_create_backend_command.csv
@@ -0,0 +1,6 @@
+"be_users"
+,"uid","pid","tstamp","username","password","admin","disable","starttime","endtime","options","crdate","workspace_perms","deleted","TSconfig","lastlogin","workspace_id"
+# The password is "password"
+,1,0,1366642540,"admin","$1$tCrlLajZ$C0sikFQQ3SWaFAZ1Me0Z/1",1,0,0,0,0,1366642540,1,0,,1371033743,0
+,2,0,1366642541,"editor_deleted","$1$tCrlLajZ$C0sikFQQ3SWaFAZ1Me0Z/1",0,0,0,0,0,1366642540,1,1,,1371033743,0
+,3,0,1366642542,"admin_disabled","$1$tCrlLajZ$C0sikFQQ3SWaFAZ1Me0Z/1",1,1,0,0,0,1366642540,1,0,,1371033743,0
-- 
GitLab