[SECURITY] Disallow changing system maintainer details

This change disallows changing any details of system
maintainers in case the current user does not have
system maintainer privileges as well.

Resolves: #106129
Releases: main, 13.4, 12.4
Change-Id: I0a62809287bfddb582c2bf005c129bf07d16a63d
Security-Bulletin: TYPO3-CORE-SA-2025-016
Security-References: CVE-2025-47940
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/89470
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Author: ohader

Classes/DataHandling/DataHandler.php

@@ -1274,33 +1274,6 @@ public function checkValue($table, $field, $value, $id, $status, $realPid, $tscP
             }
         }
 
-        if ($table === 'be_users'
-            && ($field === 'admin' || $field === 'password')
-            && $status === 'update'
-        ) {
-            // Do not allow a non system maintainer admin to change admin flag and password of system maintainers
-            $systemMaintainers = array_map(intval(...), $GLOBALS['TYPO3_CONF_VARS']['SYS']['systemMaintainers'] ?? []);
-            // False if current user is not in system maintainer list or if switch to user mode is active
-            $isCurrentUserSystemMaintainer = $this->BE_USER->isSystemMaintainer();
-            $isTargetUserInSystemMaintainerList = in_array((int)$id, $systemMaintainers, true);
-            if ($field === 'admin') {
-                $isFieldChanged = (int)$currentRecord[$field] !== (int)$value;
-            } else {
-                $isFieldChanged = $currentRecord[$field] !== $value;
-            }
-            if (!$isCurrentUserSystemMaintainer && $isTargetUserInSystemMaintainerList && $isFieldChanged) {
-                $value = $currentRecord[$field];
-                $this->log(
-                    $table,
-                    (int)$id,
-                    SystemLogDatabaseAction::UPDATE,
-                    null,
-                    SystemLogErrorClassification::SECURITY_NOTICE,
-                    'Only system maintainers can change the admin flag and password of other system maintainers. The value has not been updated'
-                );
-            }
-        }
-
         // Getting config for the field
         $tcaFieldConf = $this->resolveFieldConfigurationAndRespectColumnsOverrides($table, $field);
 

Classes/Hooks/SystemMaintainerAllowanceCheck.php

@@ -0,0 +1,53 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of the TYPO3 CMS project.
+ *
+ * It is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License, either version 2
+ * of the License, or any later version.
+ *
+ * For the full copyright and license information, please read the
+ * LICENSE.txt file that was distributed with this source code.
+ *
+ * The TYPO3 project - inspiring people to share!
+ */
+
+namespace TYPO3\CMS\Core\Hooks;
+
+use TYPO3\CMS\Core\DataHandling\DataHandler;
+use TYPO3\CMS\Core\SysLog\Action\Database as SystemLogDatabaseAction;
+use TYPO3\CMS\Core\SysLog\Error as SystemLogErrorClassification;
+
+/**
+ * DataHandler hook to ensure that only system maintainers can change details of system maintainers.
+ *
+ * @internal This class is a hook implementation and is not part of the TYPO3 Core API.
+ */
+final class SystemMaintainerAllowanceCheck
+{
+    public function processDatamap_postProcessFieldArray(string $status, string $table, int|string $id, array &$fieldArray, DataHandler $dataHandler): void
+    {
+        if ($table !== 'be_users' || $status !== 'update' || empty($fieldArray)) {
+            return;
+        }
+        // Do not allow a non system maintainer admin to change details of system maintainers.
+        $systemMaintainers = array_map(intval(...), $GLOBALS['TYPO3_CONF_VARS']['SYS']['systemMaintainers'] ?? []);
+        // False if current user is not in system maintainer list or if switch to user mode is active
+        $isCurrentUserSystemMaintainer = $dataHandler->BE_USER->isSystemMaintainer();
+        $isTargetUserInSystemMaintainerList = in_array((int)$id, $systemMaintainers, true);
+        if (!$isCurrentUserSystemMaintainer && $isTargetUserInSystemMaintainerList) {
+            $fieldArray = [];
+            $dataHandler->log(
+                $table,
+                (int)$id,
+                SystemLogDatabaseAction::UPDATE,
+                null,
+                SystemLogErrorClassification::SECURITY_NOTICE,
+                'Only system maintainers can change details of other system maintainers. The values have not been updated.'
+            );
+        }
+    }
+}

Configuration/DefaultConfiguration.php

@@ -726,6 +726,11 @@
                             \TYPO3\CMS\Backend\Form\FormDataProvider\TcaRecordTitle::class,
                         ],
                     ],
+                    \TYPO3\CMS\Backend\Form\FormDataProvider\SystemMaintainerAsReadonly::class => [
+                        'depends' => [
+                            \TYPO3\CMS\Backend\Form\FormDataProvider\EvaluateDisplayConditions::class,
+                        ],
+                    ],
                 ],
                 'tcaSelectTreeAjaxFieldData' => [
                     \TYPO3\CMS\Backend\Form\FormDataProvider\DatabaseEditRow::class => [],

Resources/Private/Language/locallang_core.xlf

@@ -1366,17 +1366,17 @@ Do you want to refresh it now?</source>
 				<source>"%s" is not a valid e-mail address.</source>
 			</trans-unit>
 			<trans-unit id="error.adminCanNotChangeSystemMaintainer">
-				<source>Only system maintainers can change the admin flag and password of other system maintainers. The value has not been updated.</source>
+				<source>Non system maintainers cannot change details of system maintainers. The values have not been updated.</source>
+			</trans-unit>
+			<trans-unit id="formEngine.beUser.information.adminCanNotChangeSystemMaintainer">
+				<source>This user is a system maintainer. Changing details of system maintainers is not allowed.</source>
 			</trans-unit>
 			<trans-unit id="formEngine.beUser.admin.information.userIsSystemMaintainer">
 				<source>This user is a system maintainer</source>
 			</trans-unit>
 			<trans-unit id="formEngine.beUser.admin.information.userWillBecomeSystemMaintainer">
 				<source>This user is in the list of allowed system maintainers and will gain system level access if enabling admin access.</source>
 			</trans-unit>
-			<trans-unit id="formEngine.beUser.admin.information.userAdminAndPasswordChangeNotAllowed">
-				<source>This user is a system maintainer. Changing the admin flag and changing password is denied.</source>
-			</trans-unit>
 			<trans-unit id="formEngine.pages.backendLayout.information.inheritFromParentPage">
 				<source>This page will most likely use backend layout "%s", inherited from a parent page.</source>
 			</trans-unit>

ext_localconf.php

@@ -8,6 +8,7 @@
 use TYPO3\CMS\Core\Hooks\CreateSiteConfiguration;
 use TYPO3\CMS\Core\Hooks\DestroySessionHook;
 use TYPO3\CMS\Core\Hooks\PagesTsConfigGuard;
+use TYPO3\CMS\Core\Hooks\SystemMaintainerAllowanceCheck;
 use TYPO3\CMS\Core\Hooks\UpdateFileIndexEntry;
 use TYPO3\CMS\Core\MetaTag\EdgeMetaTagManager;
 use TYPO3\CMS\Core\MetaTag\Html5MetaTagManager;
@@ -32,6 +33,7 @@
 $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS'][GeneralUtility::class]['moveUploadedFile'][] = SvgHookHandler::class . '->processMoveUploadedFile';
 $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_tcemain.php']['processDatamapClass'][] = FileMetadataPermissionsAspect::class;
 $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_tcemain.php']['processDatamapClass'][] = BackendUserPasswordCheck::class;
+$GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_tcemain.php']['processDatamapClass'][] = SystemMaintainerAllowanceCheck::class;
 $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_tcemain.php']['checkModifyAccessList'][] = FileMetadataPermissionsAspect::class;
 $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_tcemain.php']['checkModifyAccessList'][] = FilePermissionAspect::class;
 $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_tcemain.php']['processDatamapClass'][] = FilePermissionAspect::class;