From d80a9c472f88ecd611376511f62f5e67f2148a64 Mon Sep 17 00:00:00 2001
From: Oliver Hader <oliver@typo3.org>
Date: Tue, 14 Jun 2022 13:38:43 +0200
Subject: [PATCH] [BUGFIX] Properly apply system maintainer role to backend
 admins

The security fix TYPO3-CORE-SA-2022-005 introduced a synchronization
of backend user and admin tool sessions - without considering these
two documented aspects:

+ If no system maintainer is set up, then all administrators are
  assigned the system maintainer role.
+ In Development context, all administrators are system maintainers
  as well.

Resolves: #97768
Releases: main, 11.5, 10.4
Change-Id: I81dbfc5d07a41a4fa254e1fb50210c74f5e6f02c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74912
Tested-by: core-ci <typo3@b13.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Susanne Moog <look@susi.dev>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
---
 typo3/sysext/install/Classes/Service/SessionService.php | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/typo3/sysext/install/Classes/Service/SessionService.php b/typo3/sysext/install/Classes/Service/SessionService.php
index a85342c02099..dbe391967376 100644
--- a/typo3/sysext/install/Classes/Service/SessionService.php
+++ b/typo3/sysext/install/Classes/Service/SessionService.php
@@ -286,8 +286,12 @@ class SessionService implements SingletonInterface
         }
         $isAdmin = (($backendUserRecord['admin'] ?? 0) & 1) === 1;
         $systemMaintainers = array_map('intval', $GLOBALS['TYPO3_CONF_VARS']['SYS']['systemMaintainers'] ?? []);
+        // in case no system maintainers are configured, all admin users are considered to be system maintainers
+        $isSystemMaintainer = empty($systemMaintainers) || in_array((int)$backendUserRecord['uid'], $systemMaintainers, true);
+        // in development context, all admin users are considered to be system maintainers
+        $hasDevelopmentContext = Environment::getContext()->isDevelopment();
         // stop here, in case the current admin tool session does not belong to a backend user having admin & maintainer privileges
-        if (!$isAdmin || !in_array((int)$backendUserRecord['uid'], $systemMaintainers, true)) {
+        if (!$isAdmin || !$hasDevelopmentContext && !$isSystemMaintainer) {
             return false;
         }
 
-- 
GitLab