Bug #59963

Invalid moduleToken in returnUrl of the shortcutMenu

Added by Gernot Schulmeister about 1 year ago. Updated about 1 year ago.

Status:Resolved Start date:2014-06-28
Priority:Should have Due date:
Assigned To:- % Done:

100%
Category:Backend User Interface Spent time: -
Target version:-
TYPO3 Version:6.2 Is Regression:Yes
PHP Version: Sprint Focus:
Complexity:easy

Description

At the moment the moduleToken of the returnUrl in the shortcutMenu is stored statically in the database in the field url of sys_be_shortcuts.

If the user sets a shortcut for a record (for example be_users) the moduleToken of the returnUrl for this shortcut becomes invalid after he has logged out or if he uses another browser.

The consequence: If he uses the shortcut link and then saves and close or exit the record the invalide module token exception is thrown, see also the attached screenshots.

So also the module token of the returnUrl has to be generated dynamically for each backend session and must not be taken statically from the database. A first working approach could be to do this in the getTokenUrl($url) function of

sysext\backend\Classes\Toolbar\ShortcutToolbarItem.php

where already the module token for the shortcut link is generated. The following code works for me at the moment:

protected function getTokenUrl($url) {
        $parsedUrl = parse_url($url);
        parse_str($parsedUrl['query'], $parameters);
                // parse the returnUrl and replace the module token of it
                if (isset($parameters['returnUrl'])){
                    $parsedReturnUrl = parse_url($parameters['returnUrl']);
                    parse_str($parsedReturnUrl['query'], $returnUrlParameters);
                    if (strpos($parsedReturnUrl['path'], 'mod.php') !== FALSE && isset($returnUrlParameters['M'])) {
                            $module = $returnUrlParameters['M'];
                            unset($returnUrlParameters['M']);
                            unset($returnUrlParameters['moduleToken']);
                            $returnUrl = BackendUtility::getModuleUrl($module, $returnUrlParameters);
                            $parameters['returnUrl'] = $returnUrl;                            
                            $url = $parsedUrl['path']. '?'.http_build_query($parameters);                 
                    }
                }             
        if (strpos($parsedUrl['path'], 'mod.php') !== FALSE && isset($parameters['M'])) {
            $module = $parameters['M'];
            unset($parameters['M']);
            $url = str_replace('mod.php', '', $parsedUrl['path']) . BackendUtility::getModuleUrl($module, $parameters);
        }
        return $url;
    }

ShortcutCloseAfterEdit.png (202.4 kB) Gernot Schulmeister, 2014-06-28 16:37

ShortcutInvalidToken.png (175 kB) Gernot Schulmeister, 2014-06-28 16:37

Related issues

related to Core - Task #56359: Fix module access regressions Resolved 2014-02-26

Associated revisions

Revision e82b6a7f
Added by Frans Saris about 1 year ago

[BUGFIX] Replace module token in be shortcut returnUrl

During the addition of the token check for mod.php the token
in the BE shortcut url was already replaced (#56359) but
not in the returnUrl parameter that can be present.

This patch makes sure that also the module token is replaced in
the returnUrl param.

Resolves: #59963
Releases: 6.3, 6.2
Change-Id: I12b9d6022240d0399825aade21b0879bfbc7eb6c
Reviewed-on: https://review.typo3.org/31386
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Marcin SÄ…gol
Reviewed-by: Markus Klein
Tested-by: Markus Klein

Revision 777086e0
Added by Frans Saris about 1 year ago

[BUGFIX] Replace module token in be shortcut returnUrl

During the addition of the token check for mod.php the token
in the BE shortcut url was already replaced (#56359) but
not in the returnUrl parameter that can be present.

This patch makes sure that also the module token is replaced in
the returnUrl param.

Resolves: #59963
Releases: 6.3, 6.2
Change-Id: I12b9d6022240d0399825aade21b0879bfbc7eb6c
Reviewed-on: https://review.typo3.org/31396
Reviewed-by: Markus Klein
Tested-by: Markus Klein

History

#1 Updated by Markus Klein about 1 year ago

Gernot, can you please push that to Gerrit. Thanks.

#2 Updated by Frans Saris about 1 year ago

  • Is Regression changed from No to Yes

#3 Updated by Gerrit Code Review about 1 year ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/31386

#4 Updated by Gerrit Code Review about 1 year ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/31386

#5 Updated by Gerrit Code Review about 1 year ago

Patch set 1 for branch TYPO3_6-2 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/31396

#6 Updated by Frans Saris about 1 year ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

Also available in: Atom PDF