Breaking: #91782 - lockToDomain feature for frontend users / groups and backend users / groups removed

See forge#91782

Description

TYPO3 Core shipped with a feature called "lockToDomain" for frontend and backend users which made the user login only valid if the exact given HTTP_HOST matches the filled domain.

A similar functionality with the same name for groups existed, which only added the group to a specific user during a session, if the user was accessing a TYPO3 site under a specific domain.

Both features have been removed.

Impact

Frontend users or backend users that have this option set previously, will now be able to login independent of the defined HTTP_HOST header sent with the login page.

Regardless of any setting of the "lockToDomain" setting of a specific group, all groups added to a user are now applied during login of a user, both for frontend and backend.

Affected Installations

TYPO3 Installations using this feature in their database records are affected. Following SQL SELECT statements help to identify records with a value for the features, which indicates those users and groups will now be able to log in without the domain restriction.

Frontend Users:

SELECT uid, pid, username FROM fe_users WHERE lockToDomain != '' AND lockToDomain IS NOT NULL;

Backend Users:

SELECT uid, pid, username FROM be_users WHERE lockToDomain != '' AND lockToDomain IS NOT NULL;

Frontend Groups:

SELECT uid, pid, username FROM fe_groups WHERE lockToDomain != '' AND lockToDomain IS NOT NULL;

Backend Groups:

SELECT uid, pid, username FROM be_groups WHERE lockToDomain != '' AND lockToDomain IS NOT NULL;

Migration

Any installations needing this feature should build this in custom extensions extending TCA and a custom Authentication Service.

In addition, if such a feature is needed for frontend users or groups, it is recommended to use the storagePid option to limit frontend user login by Storage Folders.