From cc8faadf9f0f551cf8d517f8f3c8481e97140229 Mon Sep 17 00:00:00 2001
From: Torben Hansen <derhansen@gmail.com>
Date: Sat, 1 Apr 2023 06:44:50 +0200
Subject: [PATCH] [TASK] Respect usePasswordPolicyForFrontendUsers in TCA
 type=password

The feature toggle `security.usePasswordPolicyForFrontendUsers`
introduced in #97390 was added to allow TYPO3 administrators to
still use the deprecated TypoScript validators in ext:felogin
for the password reset process. In order to have a consistent
setup, the feature toggle must also be respected for frontend
users in DataHandler and FormEngine, so it is possible to set
any password, if the feature is turned off.

With this patch, a possible configured password policy for frontend
context (fe_users table) is ignored, if
`security.usePasswordPolicyForFrontendUsers` is set to `false`.

Resolves: #100300
Releases: main
Signed-off-by: Torben Hansen <derhansen@gmail.com>
Change-Id: I47f5284202b46d8e621adadb16fe6396afaea31c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/78346
Tested-by: core-ci <typo3@b13.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
---
 .../backend/Classes/Form/Element/PasswordElement.php      | 8 ++++++++
 typo3/sysext/core/Classes/DataHandling/DataHandler.php    | 8 ++++++++
 2 files changed, 16 insertions(+)

diff --git a/typo3/sysext/backend/Classes/Form/Element/PasswordElement.php b/typo3/sysext/backend/Classes/Form/Element/PasswordElement.php
index 360e7e850c47..512f8ea54f21 100644
--- a/typo3/sysext/backend/Classes/Form/Element/PasswordElement.php
+++ b/typo3/sysext/backend/Classes/Form/Element/PasswordElement.php
@@ -17,6 +17,7 @@ declare(strict_types=1);
 
 namespace TYPO3\CMS\Backend\Form\Element;
 
+use TYPO3\CMS\Core\Configuration\Features;
 use TYPO3\CMS\Core\Page\JavaScriptModuleInstruction;
 use TYPO3\CMS\Core\PasswordPolicy\PasswordPolicyAction;
 use TYPO3\CMS\Core\PasswordPolicy\PasswordPolicyValidator;
@@ -60,6 +61,13 @@ class PasswordElement extends AbstractFormElement
         );
 
         $passwordPolicy = $config['passwordPolicy'] ?? null;
+
+        // Ignore password policy for frontend users, if "security.usePasswordPolicyForFrontendUsers" is disabled
+        $features = GeneralUtility::makeInstance(Features::class);
+        if ($table === 'fe_users' && !$features->isFeatureEnabled('security.usePasswordPolicyForFrontendUsers')) {
+            $passwordPolicy = null;
+        }
+
         if ($passwordPolicy) {
             // We always use PasswordPolicyAction::NEW_USER_PASSWORD here, since the password is not set by the user,
             // but either by an admin or an editor
diff --git a/typo3/sysext/core/Classes/DataHandling/DataHandler.php b/typo3/sysext/core/Classes/DataHandling/DataHandler.php
index 50e29b074c0f..dfaa021aea67 100644
--- a/typo3/sysext/core/Classes/DataHandling/DataHandler.php
+++ b/typo3/sysext/core/Classes/DataHandling/DataHandler.php
@@ -27,6 +27,7 @@ use TYPO3\CMS\Backend\Utility\BackendUtility;
 use TYPO3\CMS\Core\Authentication\BackendUserAuthentication;
 use TYPO3\CMS\Core\Cache\CacheManager;
 use TYPO3\CMS\Core\Cache\Frontend\FrontendInterface;
+use TYPO3\CMS\Core\Configuration\Features;
 use TYPO3\CMS\Core\Configuration\FlexForm\Exception\InvalidIdentifierException;
 use TYPO3\CMS\Core\Configuration\FlexForm\Exception\InvalidParentRowException;
 use TYPO3\CMS\Core\Configuration\FlexForm\Exception\InvalidParentRowLoopException;
@@ -1864,6 +1865,13 @@ class DataHandler implements LoggerAwareInterface
             // We got no salted password instance, incoming value must be a new plaintext password
             // Validate new password against password policy for field
             $passwordPolicy = $tcaFieldConf['passwordPolicy'] ?? '';
+
+            // Ignore password policy for frontend users, if "security.usePasswordPolicyForFrontendUsers" is disabled
+            $features = GeneralUtility::makeInstance(Features::class);
+            if ($table === 'fe_users' && !$features->isFeatureEnabled('security.usePasswordPolicyForFrontendUsers')) {
+                $passwordPolicy = '';
+            }
+
             $passwordPolicyValidator = GeneralUtility::makeInstance(
                 PasswordPolicyValidator::class,
                 PasswordPolicyAction::NEW_USER_PASSWORD,
-- 
GitLab