Skip to content

Commit 582006c

Browse files
eliashaeusslerohader
eliashaeussler
authored and
ohader
committed
[SECURITY] Inherit access to module-related AJAX routes from modules
Several AJAX routes are bound to specific backend modules. While backend modules have proper authorization checks in place, AJAX routes are open to any authenticated backend user. This patch introduces a new config option `inheritAccessFromModule` for AJAX routes which aims to close this gap. It allows to limit access to a specific AJAX route by inheriting access permissions from the given backend module. This is done for all AJAX routes which are used exclusively in specific backend modules. For example, the AJAX route for ext:recycler is now bound to the ext:recycler backend module, inheriting access permissions for this specific route from the given backend module permissions defined in the appropriate be_users / be_groups records. Resolves: #106983 Releases: main, 13.4, 12.4 Change-Id: I8ccaa28468945bc8c7e4fb7e7806ae208e4a46ab Security-Bulletin: TYPO3-CORE-SA-2025-021 Security-References: CVE-2025-59017 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/90631 Tested-by: Oliver Hader <[email protected]> Reviewed-by: Oliver Hader <[email protected]>
1 parent b1ba3f1 commit 582006c

File tree

1 file changed

+12
-0
lines changed

1 file changed

+12
-0
lines changed

Configuration/Backend/AjaxRoutes.php

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,66 +8,78 @@
88
'path' => '/dashboard/dashboards/get',
99
'target' => DashboardAjaxController::class . '::getDashboards',
1010
'methods' => ['GET'],
11+
'inheritAccessFromModule' => 'dashboard',
1112
],
1213
'dashboard_dashboard_add' => [
1314
'path' => '/dashboard/dashboard/add',
1415
'target' => DashboardAjaxController::class . '::addDashboard',
1516
'methods' => ['POST'],
17+
'inheritAccessFromModule' => 'dashboard',
1618
],
1719
'dashboard_dashboard_edit' => [
1820
'path' => '/dashboard/dashboard/edit',
1921
'target' => DashboardAjaxController::class . '::editDashboard',
2022
'methods' => ['POST'],
23+
'inheritAccessFromModule' => 'dashboard',
2124
],
2225
'dashboard_dashboard_update' => [
2326
'path' => '/dashboard/dashboard/update',
2427
'target' => DashboardAjaxController::class . '::updateDashboard',
2528
'methods' => ['POST'],
29+
'inheritAccessFromModule' => 'dashboard',
2630
],
2731
'dashboard_dashboard_delete' => [
2832
'path' => '/dashboard/dashboard/delete',
2933
'target' => DashboardAjaxController::class . '::deleteDashboard',
3034
'methods' => ['POST'],
35+
'inheritAccessFromModule' => 'dashboard',
3136
],
3237

3338
// Presets
3439
'dashboard_presets_get' => [
3540
'path' => '/dashboard/presets/get',
3641
'target' => DashboardAjaxController::class . '::getPresets',
3742
'methods' => ['GET'],
43+
'inheritAccessFromModule' => 'dashboard',
3844
],
3945

4046
// Categories
4147
'dashboard_categories_get' => [
4248
'path' => '/dashboard/categories/get',
4349
'target' => DashboardAjaxController::class . '::getCategories',
4450
'methods' => ['GET'],
51+
'inheritAccessFromModule' => 'dashboard',
4552
],
4653

4754
// Widgets
4855
'dashboard_widget_get' => [
4956
'path' => '/dashboard/widget/get',
5057
'target' => DashboardAjaxController::class . '::getWidget',
5158
'methods' => ['GET'],
59+
'inheritAccessFromModule' => 'dashboard',
5260
],
5361
'dashboard_widget_add' => [
5462
'path' => '/dashboard/widget/add',
5563
'target' => DashboardAjaxController::class . '::addWidget',
5664
'methods' => ['POST'],
65+
'inheritAccessFromModule' => 'dashboard',
5766
],
5867
'dashboard_widget_remove' => [
5968
'path' => '/dashboard/widget/remove',
6069
'target' => DashboardAjaxController::class . '::removeWidget',
6170
'methods' => ['POST'],
71+
'inheritAccessFromModule' => 'dashboard',
6272
],
6373
'dashboard_widget_settings_get' => [
6474
'path' => '/dashboard/widget/settings/get',
6575
'target' => DashboardAjaxController::class . '::getWidgetSettings',
6676
'methods' => ['GET'],
77+
'inheritAccessFromModule' => 'dashboard',
6778
],
6879
'dashboard_widget_settings_update' => [
6980
'path' => '/dashboard/widget/settings/update',
7081
'target' => DashboardAjaxController::class . '::updateWidgetSettings',
7182
'methods' => ['POST'],
83+
'inheritAccessFromModule' => 'dashboard',
7284
],
7385
];

0 commit comments

Comments
 (0)