Important: #94951 - Restrict export functionality to allowed users
See forge#94951
Important
This change was introduced as part of the TYPO3 11.5.11 and 10.4.29 security release.
Description
The export functionality has the following security drawbacks:
- Export for editors is not limited on field level
- The Save to filename functionality saves to a shared folder, which other editors with different access rights may have access to.
Both issues are not easy to resolve and also the target audience for the Import/Export functionality are mainly TYPO3 admins.
Impact
The export functionality is restricted
to TYPO3 admin users and to users, who explicitly have
access through the new user TSConfig setting
options.
.
Affected installations
Installations with EXT:impexp installed where non-admin users need to use the export functionality.
Migration
If non-admin users should be able to use the export tool, set the following user TSconfig:
options.impexp.enableExportForNonAdminUser = 1
Copied!