[BUGFIX] Fix system maintainer access

Fix a check to not allow acces to admin users but system maintainers only. Change-Id: I2e5209bbaf7c3e3cee013d1fa08f48ff7e776956 Resolves: #82396 Related: #82306 Related: #82395 Releases: master Reviewed-on: https://review.typo3.org/53965 Tested-by: TYPO3com <[email protected]> Reviewed-by: Benni Mack <[email protected]> Tested-by: Benni Mack <[email protected]> Reviewed-by: Anja Leichsenring <[email protected]> Tested-by: Anja Leichsenring <[email protected]> Reviewed-by: Christian Kuhn <[email protected]> Tested-by: Christian Kuhn <[email protected]>
3l73 · Sep 9, 2017 · 3f32d00 · 3f32d00
1 parent aa416f0
commit 3f32d00
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 4 deletions.
diff --git a/typo3/sysext/backend/Classes/Module/ModuleLoader.php b/typo3/sysext/backend/Classes/Module/ModuleLoader.php
@@ -262,7 +262,7 @@ public function checkModAccess($name, $MCONF)
         }
         $access = strtolower($MCONF['access']);
         // Check if this module is only allowed by system maintainers (= admins who are in the list of system maintainers)
-        if (strpos($access, BackendUserAuthentication::ROLE_SYSTEMMAINTAINER) !== false) {
+        if (strpos($MCONF['access'], BackendUserAuthentication::ROLE_SYSTEMMAINTAINER) !== false) {
             return $this->BE_USER->isSystemMaintainer();
         }
         // Checking if admin-access is required

diff --git a/typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php b/typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php
@@ -428,9 +428,12 @@ public function modAccess($conf, $exitOnError)
             }
             return false;
         }
-        // Returns TRUE if conf[access] is set to system maintainers and the user is system maintainer
-        if (strpos($conf['access'], self::ROLE_SYSTEMMAINTAINER) !== false && $this->isSystemMaintainer()) {
-            return true;
+        // Returns false if conf[access] is set to system maintainers and the user is system maintainer
+        if (strpos($conf['access'], self::ROLE_SYSTEMMAINTAINER) !== false && !$this->isSystemMaintainer()) {
+            if ($exitOnError) {
+                throw new \RuntimeException('This module "' . $conf['name'] . '" is only available as system maintainer', 1504804727);
+            }
+            return false;
         }
         // Returns TRUE if conf[access] is not set at all or if the user is admin
         if (!$conf['access'] || $this->isAdmin()) {