Breaking: #91782 - lockToDomain feature for frontend users / groups and backend users / groups removed

See Issue #91782

Description

TYPO3 Core shipped with a feature called “lockToDomain” for Frontend users and backend users which made the user login only valid if the exact given HTTP_HOST matches the filled domain.

A similar functionality, but with the same name for groups existed, which only added the group to a specific user during a session, if the user was accessing a TYPO3 site under a specific domain.

Both features have been removed.

Impact

Frontend users or backend users that have this option set previously, will now be able to login independent of the defined HTTP_HOST header sent with the login page.

Regardless of any setting of the “lockToDomain” setting of a specific group, all groups added to a user are now applied during login of a user, both for frontend and backend.

Affected Installations

TYPO3 Installations using this feature in their database records. When in doubt, this can be identified by running SQL SELECT statements to identify users actively using this feature.

Frontend Users:

SELECT uid, pid, username FROM fe_users WHERE lockToDomain != '' AND lockToDomain IS NOT NULL;

Backend Users:

SELECT uid, pid, username FROM be_users WHERE lockToDomain != '' AND lockToDomain IS NOT NULL;"

Frontend Groups:

SELECT uid, pid, username FROM fe_groups WHERE lockToDomain != '' AND lockToDomain IS NOT NULL;

Backend Groups:

SELECT uid, pid, username FROM be_groups WHERE lockToDomain != '' AND lockToDomain IS NOT NULL;

Migration

Any installations needing this feature should build this in custom extensions extending TCA and a custom Authentication Service.

In addition, if such a feature is needed for frontend users or groups, it is recommended to use the storagePid option to limit frontend user login by Storage Folders.