Important: #94951 - Restrict export functionality to allowed users

See forge#94951

Important

This change was introduced as part of the TYPO3 11.5.11 and 10.4.29 security release.

Description

The export functionality has the following security drawbacks:

  • Export for editors is not limited on field level

  • The Save to filename functionality saves to a shared folder, which other editors with different access rights may have access to.

Both issues are not easy to resolve and also the target audience for the Import/Export functionality are mainly TYPO3 admins.

Impact

The export functionality is restricted to TYPO3 admin users and to users, who explicitly have access through the new user TSConfig setting options.impexp.enableExportForNonAdminUser.

Affected installations

Installations with EXT:impexp installed where non-admin users need to use the export functionality.

Migration

If non-admin users should be able to use the export tool, set the following user TSconfig:

EXT:my_sitepackage/Configuration/TSconfig/allusers.tsconfig
options.impexp.enableExportForNonAdminUser = 1