[BUGFIX] Properly apply system maintainer role to backend admins

The security fix TYPO3-CORE-SA-2022-005 introduced a synchronization
of backend user and admin tool sessions - without considering these
two documented aspects:

+ If no system maintainer is set up, then all administrators are
  assigned the system maintainer role.
+ In Development context, all administrators are system maintainers
  as well.

Resolves: #97768
Releases: main, 11.5, 10.4
Change-Id: I81dbfc5d07a41a4fa254e1fb50210c74f5e6f02c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74912


Tested-by: core-ci <typo3@b13.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Susanne Moog <look@susi.dev>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

typo3/sysext/install/Classes/Service/SessionService.php

@@ -286,8 +286,12 @@ class SessionService implements SingletonInterface
         }
         $isAdmin = (($backendUserRecord['admin'] ?? 0) & 1) === 1;
         $systemMaintainers = array_map('intval', $GLOBALS['TYPO3_CONF_VARS']['SYS']['systemMaintainers'] ?? []);
+        // in case no system maintainers are configured, all admin users are considered to be system maintainers
+        $isSystemMaintainer = empty($systemMaintainers) || in_array((int)$backendUserRecord['uid'], $systemMaintainers, true);
+        // in development context, all admin users are considered to be system maintainers
+        $hasDevelopmentContext = Environment::getContext()->isDevelopment();
         // stop here, in case the current admin tool session does not belong to a backend user having admin & maintainer privileges
-        if (!$isAdmin || !in_array((int)$backendUserRecord['uid'], $systemMaintainers, true)) {
+        if (!$isAdmin || !$hasDevelopmentContext && !$isSystemMaintainer) {
             return false;
         }