Breaking: #92941 - “lockToIP” UserTsConfig option removed¶
See Issue #92941
The UserTsConfig setting
options.lockToIP which allowed Backend
users or usergroups to only be valid when the user was accessing
TYPO3 with a certain IP address / range list, is removed.
Due to the IPv4/IPv6 dilemma “Happy Eyeballs” this feature only has little use, and should be handled outside the Application instead, but certainly not work on a per user/group basis.
This option was only used when the global option
$GLOBALS['TYPO3_CONF_VARS']['BE']['enabledBeUserIPLock'] was enabled, and
could be disabled as system-wide setting where the UserTsConfig setting was
never evaluated anymore.
The global toggle was also removed, as it did not serve any other purposes.
Side note: From a TYPO3-internal request workflow this feature was never part of the authentication process, as this usually happened after a successful user login or session activation had happened, overruling any previous Authentication Services registered. This was due to some ancient architectural decisions 18 years ago when this feature was added.
When the UserTsConfig setting
options.lockToIP is set, it will not be
When set, the global configuration flag will be automatically removed when the Install Tool is accessed.
TYPO3 installations actively using this option in any UserTsConfig field or file for Backend users or Backend user groups.
If this functionality is still needed (mostly in Intranets), this needs to be implemented as a third-party authentication service to validate an authenticated user or group to be added to the current user / groups or via a custom PSR-15 middleware.