diff --git a/typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php b/typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php
index 75edc441b37d8beff04434b9ccc30147b452ab70..e669b178f1910912afd64bccd68b23ba3ec644fc 100644
--- a/typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php
+++ b/typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php
@@ -365,8 +365,7 @@ class BackendUserAuthentication extends AbstractUserAuthentication
* The point is that this will add the security that a user can NEVER touch parts outside his mounted
* pages in the page tree. This is otherwise possible if the raw page permissions allows for it.
* So this security check just makes it easier to make safe user configurations.
- * If the user is admin OR if this feature is disabled
- * (fx. by setting TYPO3_CONF_VARS['BE']['lockBeUserToDBmounts']=0) then it returns "1" right away
+ * If the user is admin then it returns "1" right away
* Otherwise the function will return the uid of the webmount which was first found in the rootline of the input page $id
*
* @param int|array $idOrRow Page ID or full page record to check
@@ -377,7 +376,7 @@ class BackendUserAuthentication extends AbstractUserAuthentication
*/
public function isInWebMount($idOrRow, $readPerms = '', $exitOnError = 0)
{
- if (!$GLOBALS['TYPO3_CONF_VARS']['BE']['lockBeUserToDBmounts'] || $this->isAdmin()) {
+ if ($this->isAdmin()) {
return 1;
}
$checkRec = [];
diff --git a/typo3/sysext/core/Classes/Database/QueryGenerator.php b/typo3/sysext/core/Classes/Database/QueryGenerator.php
index ea4887cc799ea21285917971f94a97c94dfe53dd..202e27dfd89b4d8fa7683b52fdd1068d31e2c1c8 100644
--- a/typo3/sysext/core/Classes/Database/QueryGenerator.php
+++ b/typo3/sysext/core/Classes/Database/QueryGenerator.php
@@ -925,7 +925,7 @@ class QueryGenerator
$queryBuilder->select(...$selectFields)
->from($from_table)
->orderBy('uid');
- if (!$backendUserAuthentication->isAdmin() && $GLOBALS['TYPO3_CONF_VARS']['BE']['lockBeUserToDBmounts']) {
+ if (!$backendUserAuthentication->isAdmin()) {
$webMounts = $backendUserAuthentication->returnWebmounts();
$perms_clause = $backendUserAuthentication->getPagePermsClause(Permission::PAGE_SHOW);
$webMountPageTree = '';
@@ -1657,7 +1657,7 @@ class QueryGenerator
$queryBuilder->setMaxResults((int)$this->extFieldLists['queryLimit']);
}
- if (!$backendUserAuthentication->isAdmin() && $GLOBALS['TYPO3_CONF_VARS']['BE']['lockBeUserToDBmounts']) {
+ if (!$backendUserAuthentication->isAdmin()) {
$webMounts = $backendUserAuthentication->returnWebmounts();
$perms_clause = $backendUserAuthentication->getPagePermsClause(Permission::PAGE_SHOW);
$webMountPageTree = '';
diff --git a/typo3/sysext/core/Classes/Database/QueryView.php b/typo3/sysext/core/Classes/Database/QueryView.php
index b8c1d1d4ac4c41cd63e4b7a52043c07ec6eb329b..97f578d219fe06a01bc1799bd39b2076b1ec6349 100644
--- a/typo3/sysext/core/Classes/Database/QueryView.php
+++ b/typo3/sysext/core/Classes/Database/QueryView.php
@@ -1055,7 +1055,7 @@ class QueryView
$queryBuilder->select(...$selectFields)
->from($from_table)
->orderBy('uid');
- if (!$this->backendUserAuthentication->isAdmin() && $GLOBALS['TYPO3_CONF_VARS']['BE']['lockBeUserToDBmounts']) {
+ if (!$this->backendUserAuthentication->isAdmin()) {
$webMounts = $this->backendUserAuthentication->returnWebmounts();
$perms_clause = $this->backendUserAuthentication->getPagePermsClause(Permission::PAGE_SHOW);
$webMountPageTree = '';
diff --git a/typo3/sysext/core/Configuration/DefaultConfiguration.php b/typo3/sysext/core/Configuration/DefaultConfiguration.php
index 794ba81d3b47c833ef5528499a355330fff31ed8..6d8ef133c7d1b36b2416aa88d2dcf36936d244fb 100644
--- a/typo3/sysext/core/Configuration/DefaultConfiguration.php
+++ b/typo3/sysext/core/Configuration/DefaultConfiguration.php
@@ -1149,7 +1149,6 @@ return [
'lockIPv6' => 0,
'sessionTimeout' => 28800, // a backend user logged in for 8 hours
'IPmaskList' => '',
- 'lockBeUserToDBmounts' => true,
'lockSSL' => false,
'lockSSLPort' => 0,
'enabledBeUserIPLock' => true,
diff --git a/typo3/sysext/core/Configuration/DefaultConfigurationDescription.yaml b/typo3/sysext/core/Configuration/DefaultConfigurationDescription.yaml
index c8b74b36f4d7c0092d310801c97e72cf59f87985..28b3eb7dfaf10b15ad07dce04a641d088319170e 100644
--- a/typo3/sysext/core/Configuration/DefaultConfigurationDescription.yaml
+++ b/typo3/sysext/core/Configuration/DefaultConfigurationDescription.yaml
@@ -291,9 +291,6 @@ BE:
IPmaskList:
type: list
description: 'Lets you define a list of IP-numbers (with *-wildcards) that are the ONLY ones allowed access to ANY backend activity. On error an error header is sent and the script exits. Works like IP masking for users configurable through TSconfig. See syntax for that (or look up syntax for the function <code>\TYPO3\CMS\Core\Utility\GeneralUtility::cmpIP())</code>'
- lockBeUserToDBmounts:
- type: bool
- description: 'If set, the backend user is allowed to work only within his page-mount. It''s advisable to leave this on because it makes security easy to manage.'
lockSSL:
type: bool
description: 'If set, the backend can only be operated from an SSL-encrypted connection (https). A redirect to the SSL version of a URL will happen when a user tries to access non-https admin-urls'
diff --git a/typo3/sysext/core/Documentation/Changelog/master/Breaking-92940-GlobalOptionLockBeUserToDBmountsRemoved.rst b/typo3/sysext/core/Documentation/Changelog/master/Breaking-92940-GlobalOptionLockBeUserToDBmountsRemoved.rst
new file mode 100644
index 0000000000000000000000000000000000000000..2a72386264790024831cd82b9376ff207163eda6
--- /dev/null
+++ b/typo3/sysext/core/Documentation/Changelog/master/Breaking-92940-GlobalOptionLockBeUserToDBmountsRemoved.rst
@@ -0,0 +1,48 @@
+.. include:: ../../Includes.txt
+
+===============================================================
+Breaking: #92940 - Global option "lockBeUserToDBmounts" removed
+===============================================================
+
+See :issue:`92940`
+
+Description
+===========
+
+The system-wide setting :php:`$GLOBALS['TYPO3_CONF_VARS']['BE']['lockBeUserToDBmounts']`
+which was active by default, was used to allow any non-administrator to access
+all pages in a TYPO3 installation without considering "Web Mounts" / "DB Mounts"
+regardless of their permissions.
+
+It was recommended to keep this setting turned on at any time due to several
+security reasons.
+
+This setting itself breaks TYPO3's internal permission concept and was never
+implemented in all relevant places of TYPO3.
+
+For this reason, the setting and all its usages are removed.
+
+
+Impact
+======
+
+Activating or deactivating this option has no effect anymore as TYPO3 Core API
+is working as this option was enabled at any time.
+
+
+Affected Installations
+======================
+
+TYPO3 installations that have this option disabled in their system-wide
+configuration in the `LocalConfiguration.php` file.
+
+
+Migration
+=========
+
+None, as this feature was removed for security purposes, re-adding this feature
+is not recommended.
+
+All usages in custom TYPO3 extensions can be removed.
+
+.. index:: Backend, LocalConfiguration, FullyScanned, ext:core
diff --git a/typo3/sysext/core/Tests/Functional/Authentication/BackendUserAuthenticationTest.php b/typo3/sysext/core/Tests/Functional/Authentication/BackendUserAuthenticationTest.php
index 1756bd689723548108a245f7ae5c2b23d475d53f..d0e4e24abdbe796ac2ccff72ea173939a49218cc 100644
--- a/typo3/sysext/core/Tests/Functional/Authentication/BackendUserAuthenticationTest.php
+++ b/typo3/sysext/core/Tests/Functional/Authentication/BackendUserAuthenticationTest.php
@@ -51,7 +51,6 @@ class BackendUserAuthenticationTest extends FunctionalTestCase
*/
protected function setUp(): void
{
- $GLOBALS['TYPO3_CONF_VARS']['BE']['lockBeUserToDBmounts'] = 1;
$GLOBALS['TYPO3_CONF_VARS']['BE']['cookieName'] = 'be_typo_user';
$GLOBALS['TYPO3_CONF_VARS']['BE']['warning_email_addr'] = '';
$GLOBALS['TYPO3_CONF_VARS']['BE']['lockIP'] = 4;
diff --git a/typo3/sysext/install/Classes/Service/SilentConfigurationUpgradeService.php b/typo3/sysext/install/Classes/Service/SilentConfigurationUpgradeService.php
index e4efc135ddedad5dc9ca28b795c4f3a894337dc1..452598713194d76118e7d4fb330240b824c52827 100644
--- a/typo3/sysext/install/Classes/Service/SilentConfigurationUpgradeService.php
+++ b/typo3/sysext/install/Classes/Service/SilentConfigurationUpgradeService.php
@@ -159,6 +159,8 @@ class SilentConfigurationUpgradeService
'FE/IPmaskMountGroups',
// #87301
'SYS/cookieSecure',
+ // #92940
+ 'BE/lockBeUserToDBmounts',
];
public function __construct(ConfigurationManager $configurationManager)
diff --git a/typo3/sysext/install/Configuration/ExtensionScanner/Php/ArrayDimensionMatcher.php b/typo3/sysext/install/Configuration/ExtensionScanner/Php/ArrayDimensionMatcher.php
index a1b334895189803907b839aa1aaf4d6089c636a3..e3f6b79cd552032f9ea8d5a38e3c423e6ce5f364 100644
--- a/typo3/sysext/install/Configuration/ExtensionScanner/Php/ArrayDimensionMatcher.php
+++ b/typo3/sysext/install/Configuration/ExtensionScanner/Php/ArrayDimensionMatcher.php
@@ -455,4 +455,9 @@ return [
'Deprecation-92062-MigrateRecordListControllerHooksToAnPSR-14Event.rst',
],
],
+ '$GLOBALS[\'TYPO3_CONF_VARS\'][\'BE\'][\'lockBeUserToDBmounts\']' => [
+ 'restFiles' => [
+ 'Breaking-92940-GlobalOptionLockBeUserToDBmountsRemoved.rst',
+ ],
+ ],
];
diff --git a/typo3/sysext/lowlevel/Classes/Database/QueryGenerator.php b/typo3/sysext/lowlevel/Classes/Database/QueryGenerator.php
index 6e5e08507d8e362a03f4e834836116b00d5335b6..3d11cbe212118d5c875ce3d91403d5875cc625db 100644
--- a/typo3/sysext/lowlevel/Classes/Database/QueryGenerator.php
+++ b/typo3/sysext/lowlevel/Classes/Database/QueryGenerator.php
@@ -1261,7 +1261,7 @@ class QueryGenerator
$queryBuilder->select(...$selectFields)
->from($from_table)
->orderBy('uid');
- if (!$backendUserAuthentication->isAdmin() && $GLOBALS['TYPO3_CONF_VARS']['BE']['lockBeUserToDBmounts']) {
+ if (!$backendUserAuthentication->isAdmin()) {
$webMounts = $backendUserAuthentication->returnWebmounts();
$perms_clause = $backendUserAuthentication->getPagePermsClause(Permission::PAGE_SHOW);
$webMountPageTree = '';
@@ -2050,7 +2050,7 @@ class QueryGenerator
$queryBuilder->select(...$selectFields)
->from($from_table)
->orderBy('uid');
- if (!$backendUserAuthentication->isAdmin() && $GLOBALS['TYPO3_CONF_VARS']['BE']['lockBeUserToDBmounts']) {
+ if (!$backendUserAuthentication->isAdmin()) {
$webMounts = $backendUserAuthentication->returnWebmounts();
$perms_clause = $backendUserAuthentication->getPagePermsClause(Permission::PAGE_SHOW);
$webMountPageTree = '';
@@ -2694,7 +2694,7 @@ class QueryGenerator
$queryBuilder->setMaxResults((int)$this->extFieldLists['queryLimit']);
}
- if (!$backendUserAuthentication->isAdmin() && $GLOBALS['TYPO3_CONF_VARS']['BE']['lockBeUserToDBmounts']) {
+ if (!$backendUserAuthentication->isAdmin()) {
$webMounts = $backendUserAuthentication->returnWebmounts();
$perms_clause = $backendUserAuthentication->getPagePermsClause(Permission::PAGE_SHOW);
$webMountPageTree = '';