From 3d4d9d013f2fa62527bce3f08ee6b2b2c721df89 Mon Sep 17 00:00:00 2001
From: Georg Ringer <georg.ringer@gmail.com>
Date: Wed, 6 Dec 2017 09:35:28 +0100
Subject: [PATCH] [BUGFIX] Proper checks for system maintainers

Always use the original user id and never use a fallback to a user id
switched to.

The BackendUserAuthentication->isSystemMaintainer() method now always
returns false if a user is in "switch user" mode.

Resolves: #83041
Releases: master
Change-Id: I25fc15bb9f2ed19ae5080fbe039154be1c1a521f
Reviewed-on: https://review.typo3.org/54941
Reviewed-by: Andreas Fernandez <typo3@scripting-base.de>
Tested-by: Andreas Fernandez <typo3@scripting-base.de>
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
---
 .../Classes/Authentication/BackendUserAuthentication.php | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php b/typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php
index 1c661673b1fc..3bfcedf94941 100644
--- a/typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php
+++ b/typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php
@@ -452,21 +452,24 @@ class BackendUserAuthentication extends AbstractUserAuthentication
     }
 
     /**
-     * Checks if the user is in the valid list of allowed system maintainers, if the list is not set.
+     * Checks if the user is in the valid list of allowed system maintainers. if the list is not set,
      * then all admins are system maintainers. If the list is empty, no one is system maintainer (good for production
-     * systems)
+     * systems). If the currently logged in user is in "switch user" mode, this method will return false.
      *
      * @return bool
      */
     public function isSystemMaintainer(): bool
     {
+        if ((int)$GLOBALS['BE_USER']->user['ses_backuserid'] !== 0) {
+            return false;
+        }
         if (GeneralUtility::getApplicationContext()->isDevelopment() && $this->isAdmin()) {
             return true;
         }
         $systemMaintainers = $GLOBALS['TYPO3_CONF_VARS']['SYS']['systemMaintainers'] ?? [];
         $systemMaintainers = array_map('intval', $systemMaintainers);
         if (!empty($systemMaintainers)) {
-            return in_array($this->getRealUserId(), $systemMaintainers, true);
+            return in_array((int)$this->user['uid'], $systemMaintainers, true);
         }
         // No system maintainers set up yet, so any admin is allowed to access the modules
         // but explicitly no system maintainers allowed (empty string in TYPO3_CONF_VARS).
-- 
GitLab