[BUGFIX] Prevent workspace access checks for dummy user

The backend usergroup compare view requires to fetch the group data of the groups to compare. Since this operation depends on a user array, UserInformationService creates such dummy user. Since #93233 the dummy user array also contains a workspace id `-99`. To successfully overcome workspace access-checks, set the admin-flag for this fake-user. Use workspace uid 0, to avoid any database operations on workspace access checks. Workspace 0 additionally prevents the log-message, which led to the exception message described at #93894. Resolves: #93894 Related: #93233 Releases: master, 11.5 Change-Id: Ieb5da95082cb6dfd5c030fbd04d735863d587510 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70056 Tested-by: core-ci <typo3@b13.com> Tested-by: Jochen <rothjochen@gmail.com> Tested-by: Nikita Hovratov <nikita.h@live.de> Tested-by: Oliver Bartsch <bo@cedev.de> Reviewed-by: Jochen <rothjochen@gmail.com> Reviewed-by: Nikita Hovratov <nikita.h@live.de> Reviewed-by: Oliver Bartsch <bo@cedev.de>

[BUGFIX] Prevent workspace access checks for dummy user
The backend usergroup compare view requires to fetch the group data of the groups to compare. Since this operation depends on a user array, UserInformationService creates such dummy user. Since #93233 the dummy user array also contains a workspace id `-99`. To successfully overcome workspace access-checks, set the admin-flag for this fake-user. Use workspace uid 0, to avoid any database operations on workspace access checks. Workspace 0 additionally prevents the log-message, which led to the exception message described at #93894. Resolves: #93894 Related: #93233 Releases: master, 11.5 Change-Id: Ieb5da95082cb6dfd5c030fbd04d735863d587510 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70056 Tested-by: core-ci <typo3@b13.com> Tested-by: Jochen <rothjochen@gmail.com> Tested-by: Nikita Hovratov <nikita.h@live.de> Tested-by: Oliver Bartsch <bo@cedev.de> Reviewed-by: Jochen <rothjochen@gmail.com> Reviewed-by: Nikita Hovratov <nikita.h@live.de> Reviewed-by: Oliver Bartsch <bo@cedev.de>
448ad365 · Ingo Fabbri · Oliver Bartsch · f75945cc · 448ad365 · 448ad365
Commit 448ad365 authored 3 years ago by Ingo Fabbri Committed by Oliver Bartsch 3 years ago
--- a/typo3/sysext/beuser/Classes/Service/UserInformationService.php
+++ b/typo3/sysext/beuser/Classes/Service/UserInformationService.php
@@ -57,12 +57,18 @@ class UserInformationService
        $user->enablecolumns = [
            'deleted' => true,
        ];
+
        // Setup dummy user to allow fetching all group data
        // @see \TYPO3\CMS\Core\Authentication\BackendUserAuthentication::fetchGroups
        $user->user = [
            'uid' => PHP_INT_MAX,
            'options' => 3,
-            'workspace_id' => -99,
+            // The below admin flag is required to prevent workspace access checks,
+            // triggered by workspaceInit() in fetchGroupData(). Those would fail
+            // due to insufficient permissions of the dummy user and therefore might
+            // result in generating superfluous log entries.
+            'admin' => 1,
+            'workspace_id' => 0,
            'realName' => 'fakeUser',
            'email' => 'fake.user@typo3.org',
            'TSconfig' => '',

--- a/typo3/sysext/beuser/Resources/Private/Partials/BackendUserGroup/PaginatedList.html
+++ b/typo3/sysext/beuser/Resources/Private/Partials/BackendUserGroup/PaginatedList.html
 <div class="table-fit">
-    <table class="table table-striped table-hover">
+    <table id="typo3-backend-user-group-list" class="table table-striped table-hover">
        <thead>
        <tr>
            <th class="col-icon"></th>

--- a/typo3/sysext/core/Tests/Acceptance/Application/BackendUser/CompareUserCest.php
+++ b/typo3/sysext/core/Tests/Acceptance/Application/BackendUser/CompareUserCest.php
@@ -70,4 +70,32 @@ class CompareUserCest
        $I->waitForElementVisible('#EditDocumentController');
        $I->canSee('Edit Backend user "' . $usernameFirstCompare . '" on root level');
    }
+
+    /**
+     * @param ApplicationTester $I
+     */
+    public function accessingBackendUserCompareViewWorks(ApplicationTester $I): void
+    {
+        $I->amGoingTo('Switch to user group listing');
+        $I->see('Backend User Listing', 'h1');
+        $I->selectOption('.t3-js-jumpMenuBox', 'Backend user groups');
+        $I->see('Backend User Group Listing', 'h1');
+
+        $I->amGoingTo('Add three groups to compare');
+        $I->click('#typo3-backend-user-group-list > tbody > tr:nth-child(1) > td.col-control > div:nth-child(3) > a');
+        $I->waitForElementVisible('table#typo3-backend-user-group-list');
+        $I->click('#typo3-backend-user-group-list > tbody > tr:nth-child(2) > td.col-control > div:nth-child(3) > a');
+        $I->waitForElementVisible('table#typo3-backend-user-group-list');
+        $I->click('#typo3-backend-user-group-list > tbody > tr:nth-child(3) > td.col-control > div:nth-child(3) > a');
+
+        $I->amGoingTo('Access the user group compare view');
+        $I->waitForElementVisible('table#typo3-backend-user-list-compare', 20);
+        $I->canSeeNumberOfElements('#typo3-backend-user-list-compare tbody tr', 3);
+        $I->click('Compare backend usergroups');
+
+        $I->amGoingTo('Check compare view is loaded with the correct number of groups');
+        $I->see('Compare backend usergroups', 'h1');
+        // We expect four header columns, since the first one is used for the row labels
+        $I->canSeeNumberOfElements('#tx_beuser_compare > thead > tr > th', 4);
+    }
 }