[FEATURE] Introduce ErrorHandler for 403 errors with redirect option

When TYPO3 is configured to create links to access protected pages
using `typolinkLinkAccessRestrictedPages = NONE` (which is default),
a 403 response is returned, if the current frontend request does not
fulfill configured access permissions.

This change introduces a new Site errorHandler, which can be used
to handle 403 responses for access restricted pages and which
redirects the user to a configured page and adds a configurable
GET parameter (`return_url` or `redirect_url`) containing the original
URL. The configurable GET parameter can be used by 3rd party extensions
to redirect the user back to the original URL after a successful
login.

The TYPO3 extensions ext:felogin and ext:oidc both support the
configurable redirect parameter introduced in the new Site
errorHandler feature.

Resolves: #101252
Releases: main
Signed-off-by: Torben Hansen <[email protected]>
Change-Id: I06d8e384c5519975efdc8803c98c0a92a56a7653
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/81945
Tested-by: core-ci <[email protected]>
Reviewed-by: Garvin Hicking <[email protected]>
Tested-by: Garvin Hicking <[email protected]>
Reviewed-by: Georg Ringer <[email protected]>
Reviewed-by: Markus Klein <[email protected]>
Tested-by: Georg Ringer <[email protected]>

Author: derhansen

typo3/sysext/backend/Configuration/SiteConfiguration/site_errorhandling.php

@@ -12,6 +12,7 @@
             'Fluid' => 'mimetypes-text-html',
             'Page' => 'apps-pagetree-page-content-from-page',
             'PHP' => 'mimetypes-text-php',
+            'LoginRedirect' => 'content-elements-login',
         ],
     ],
     'columns' => [
@@ -50,6 +51,7 @@
                     ['label' => 'LLL:EXT:backend/Resources/Private/Language/locallang_siteconfiguration_tca.xlf:site_errorhandling.errorHandler.fluid', 'value' => 'Fluid'],
                     ['label' => 'LLL:EXT:backend/Resources/Private/Language/locallang_siteconfiguration_tca.xlf:site_errorhandling.errorHandler.page', 'value' => 'Page'],
                     ['label' => 'LLL:EXT:backend/Resources/Private/Language/locallang_siteconfiguration_tca.xlf:site_errorhandling.errorHandler.php', 'value' => 'PHP'],
+                    ['label' => 'LLL:EXT:backend/Resources/Private/Language/locallang_siteconfiguration_tca.xlf:site_errorhandling.errorHandler.loginRedirect', 'value' => 'LoginRedirect'],
                 ],
             ],
         ],
@@ -102,6 +104,26 @@
                 'placeholder' => 'LLL:EXT:backend/Resources/Private/Language/locallang_siteconfiguration_tca.xlf:site_errorhandling.errorPhpClassFQCN.placeholder',
             ],
         ],
+        'loginRedirectTarget' => [
+            'label' => 'LLL:EXT:backend/Resources/Private/Language/locallang_siteconfiguration_tca.xlf:site_errorhandling.loginRedirectTarget',
+            'config' => [
+                'type' => 'link',
+                'required' => true,
+                'allowedTypes' => ['page'],
+            ],
+        ],
+        'loginRedirectParameter' => [
+            'label' => 'LLL:EXT:backend/Resources/Private/Language/locallang_siteconfiguration_tca.xlf:site_errorhandling.loginRedirectParameter',
+            'config' => [
+                'type' => 'select',
+                'renderType' => 'selectSingle',
+                'required' => true,
+                'items' => [
+                    ['label' => 'LLL:EXT:backend/Resources/Private/Language/locallang_siteconfiguration_tca.xlf:site_errorhandling.loginRedirectParameter.return_url', 'value' => 'return_url'],
+                    ['label' => 'LLL:EXT:backend/Resources/Private/Language/locallang_siteconfiguration_tca.xlf:site_errorhandling.loginRedirectParameter.redirect_url', 'value' => 'redirect_url'],
+                ],
+            ],
+        ],
     ],
     'types' => [
         '1' => [
@@ -118,6 +140,9 @@
         'PHP' => [
             'showitem' => '--palette--;;general, errorPhpClassFQCN',
         ],
+        'LoginRedirect' => [
+            'showitem' => '--palette--;;general, loginRedirectTarget, loginRedirectParameter',
+        ],
     ],
     'palettes' => [
         'general' => [

typo3/sysext/backend/Resources/Private/Language/locallang_siteconfiguration_tca.xlf

@@ -180,6 +180,9 @@
 			<trans-unit id="site_errorhandling.errorHandler.php" resname="site_errorhandling.errorHandler.php">
 				<source>PHP Class (must implement the PageErrorHandlerInterface)</source>
 			</trans-unit>
+			<trans-unit id="site_errorhandling.errorHandler.loginRedirect" resname="site_errorhandling.errorHandler.loginRedirect">
+				<source>Redirect to login page</source>
+			</trans-unit>
 			<trans-unit id="site_errorhandling.errorFluidTemplate" resname="site_errorhandling.errorFluidTemplate">
 				<source>Fluid Template File</source>
 			</trans-unit>
@@ -201,6 +204,18 @@
 			<trans-unit id="site_errorhandling.errorPhpClassFQCN" resname="site_errorhandling.errorPhpClassFQCN">
 				<source>ErrorHandler Class Target (FQCN)</source>
 			</trans-unit>
+			<trans-unit id="site_errorhandling.loginRedirectTarget" resname="site_errorhandling.loginRedirectTarget">
+				<source>Target page where login process is handled</source>
+			</trans-unit>
+			<trans-unit id="site_errorhandling.loginRedirectParameter" resname="site_errorhandling.loginRedirectParameter">
+				<source>URL parameter for redirect</source>
+			</trans-unit>
+			<trans-unit id="site_errorhandling.loginRedirectParameter.return_url" resname="site_errorhandling.loginRedirectParameter.return_url">
+				<source>return_url (used by e.g. ext:felogin)</source>
+			</trans-unit>
+			<trans-unit id="site_errorhandling.loginRedirectParameter.redirect_url" resname="site_errorhandling.loginRedirectParameter.redirect_url">
+				<source>redirect_url (used by e.g. ext:oidc or ext:felogin)</source>
+			</trans-unit>
 			<trans-unit id="site_errorhandling.errorPhpClassFQCN.placeholder" resname="site_errorhandling.errorPhpClassFQCN.placeholder">
 				<source>Vendor\ExtensionName\ErrorHandlers\GenericErrorhandler</source>
 			</trans-unit>

typo3/sysext/core/Classes/Error/PageErrorHandler/RedirectLoginErrorHandler.php

@@ -0,0 +1,140 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of the TYPO3 CMS project.
+ *
+ * It is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License, either version 2
+ * of the License, or any later version.
+ *
+ * For the full copyright and license information, please read the
+ * LICENSE.txt file that was distributed with this source code.
+ *
+ * The TYPO3 project - inspiring people to share!
+ */
+
+namespace TYPO3\CMS\Core\Error\PageErrorHandler;
+
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use TYPO3\CMS\Core\Context\Context;
+use TYPO3\CMS\Core\Controller\ErrorPageController;
+use TYPO3\CMS\Core\Http\HtmlResponse;
+use TYPO3\CMS\Core\Http\RedirectResponse;
+use TYPO3\CMS\Core\LinkHandling\LinkService;
+use TYPO3\CMS\Core\Site\Entity\Site;
+use TYPO3\CMS\Core\Utility\GeneralUtility;
+use TYPO3\CMS\Frontend\Page\PageAccessFailureReasons;
+
+/**
+ * An error handler that redirects to a configured page, where the login process is handled. Passes a configurable
+ * url parameter (`return_url` or `redirect_url`) to the target page.
+ */
+class RedirectLoginErrorHandler implements PageErrorHandlerInterface
+{
+    protected int $loginRedirectPid = 0;
+    protected int $statusCode = 0;
+    protected string $loginRedirectParameter = '';
+    protected Context $context;
+    protected LinkService $linkService;
+
+    public function __construct(int $statusCode, array $configuration)
+    {
+        $this->statusCode = $statusCode;
+        $this->context = GeneralUtility::makeInstance(Context::class);
+        $this->linkService = GeneralUtility::makeInstance(LinkService::class);
+
+        $urlParams = $this->linkService->resolve($configuration['loginRedirectTarget'] ?? '');
+        $this->loginRedirectPid = (int)($urlParams['pageuid'] ?? 0);
+        $this->loginRedirectParameter = $configuration['loginRedirectParameter'] ?? 'return_url';
+    }
+
+    public function handlePageError(
+        ServerRequestInterface $request,
+        string $message,
+        array $reasons = []
+    ): ResponseInterface {
+        $this->checkHandlerConfiguration();
+
+        if ($this->shouldHandleRequest($reasons)) {
+            return $this->handleLoginRedirect($request);
+        }
+
+        // Show general error message with a 403 HTTP statuscode
+        return $this->getGenericAccessDeniedResponse($message);
+    }
+
+    private function getGenericAccessDeniedResponse(string $reason): ResponseInterface
+    {
+        $content = GeneralUtility::makeInstance(ErrorPageController::class)->errorAction(
+            'Page Not Found',
+            'The page did not exist or was inaccessible.' . ($reason ? ' Reason: ' . $reason : ''),
+            0,
+            $this->statusCode,
+        );
+        return new HtmlResponse($content, $this->statusCode);
+    }
+
+    private function handleLoginRedirect(ServerRequestInterface $request): ResponseInterface
+    {
+        if ($this->isLoggedIn()) {
+            return $this->getGenericAccessDeniedResponse(
+                'The requested page was not accessible with the provided credentials'
+            );
+        }
+
+        /** @var Site $site */
+        $site = $request->getAttribute('site');
+        $language = $request->getAttribute('language');
+
+        $loginUrl = $site->getRouter()->generateUri(
+            $this->loginRedirectPid,
+            [
+                '_language' => $language,
+                $this->loginRedirectParameter => (string)$request->getUri(),
+            ]
+        );
+
+        return new RedirectResponse($loginUrl);
+    }
+
+    private function shouldHandleRequest(array $reasons): bool
+    {
+        if (!isset($reasons['code'])) {
+            return false;
+        }
+
+        $accessDeniedReasons = [
+            PageAccessFailureReasons::ACCESS_DENIED_PAGE_NOT_RESOLVED,
+            PageAccessFailureReasons::ACCESS_DENIED_SUBSECTION_NOT_RESOLVED,
+        ];
+        $isAccessDenied = in_array($reasons['code'], $accessDeniedReasons, true);
+
+        return $isAccessDenied || $this->isSimulatedBackendGroup();
+    }
+
+    private function isLoggedIn(): bool
+    {
+        return $this->context->getPropertyFromAspect('frontend.user', 'isLoggedIn') || $this->isSimulatedBackendGroup();
+    }
+
+    protected function isSimulatedBackendGroup(): bool
+    {
+        // look for special "any group"
+        return $this->context->getPropertyFromAspect('backend.user', 'isLoggedIn')
+            && $this->context->getPropertyFromAspect('frontend.user', 'groupIds')[1] === -2;
+    }
+
+    private function checkHandlerConfiguration(): void
+    {
+        if ($this->loginRedirectPid === 0) {
+            throw new \RuntimeException('No loginRedirectTarget configured for LoginRedirect errorhandler', 1700813537);
+        }
+
+        if ($this->statusCode !== 403) {
+            throw new \RuntimeException('Invalid HTTP statuscode ' . $this->statusCode . ' for LoginRedirect errorhandler', 1700813545);
+        }
+    }
+}

typo3/sysext/core/Classes/Site/Entity/Site.php

@@ -26,6 +26,7 @@
 use TYPO3\CMS\Core\Error\PageErrorHandler\PageContentErrorHandler;
 use TYPO3\CMS\Core\Error\PageErrorHandler\PageErrorHandlerInterface;
 use TYPO3\CMS\Core\Error\PageErrorHandler\PageErrorHandlerNotConfiguredException;
+use TYPO3\CMS\Core\Error\PageErrorHandler\RedirectLoginErrorHandler;
 use TYPO3\CMS\Core\ExpressionLanguage\Resolver;
 use TYPO3\CMS\Core\Http\Uri;
 use TYPO3\CMS\Core\Localization\LanguageService;
@@ -43,6 +44,7 @@ class Site implements SiteInterface
     protected const ERRORHANDLER_TYPE_PAGE = 'Page';
     protected const ERRORHANDLER_TYPE_FLUID = 'Fluid';
     protected const ERRORHANDLER_TYPE_PHP = 'PHP';
+    protected const ERRORHANDLER_TYPE_LOGIN_REDIRECT = 'LoginRedirect';
 
     /**
      * @var string
@@ -305,6 +307,8 @@ public function getErrorHandler(int $statusCode): PageErrorHandlerInterface
                 return GeneralUtility::makeInstance(FluidPageErrorHandler::class, $statusCode, $errorHandlerConfiguration);
             case self::ERRORHANDLER_TYPE_PAGE:
                 return GeneralUtility::makeInstance(PageContentErrorHandler::class, $statusCode, $errorHandlerConfiguration);
+            case self::ERRORHANDLER_TYPE_LOGIN_REDIRECT:
+                return GeneralUtility::makeInstance(RedirectLoginErrorHandler::class, $statusCode, $errorHandlerConfiguration);
             case self::ERRORHANDLER_TYPE_PHP:
                 $handler = GeneralUtility::makeInstance($errorHandlerConfiguration['errorPhpClassFQCN'], $statusCode, $errorHandlerConfiguration);
                 // Check if the interface is implemented

typo3/sysext/core/Documentation/Changelog/13.3/Feature-101252-IntroduceErrorHandlerFor403ErrorsWithRedirectOption.rst

@@ -0,0 +1,60 @@
+.. include:: /Includes.rst.txt
+
+.. _feature-101252-1715447531:
+
+=============================================================================
+Feature: #101252 - Introduce ErrorHandler for 403 errors with redirect option
+=============================================================================
+
+See :issue:`101252`
+
+Description
+===========
+
+The new error handler :php:`RedirectLoginErrorHandler` has been added,
+which makes it possible to redirect the user to a configurable page.
+
+Requesting a login-protected URL would usually return a generic HTTP 403 error
+in case of a missing fulfilled access permissions and the configuration
+:php:`typolinkLinkAccessRestrictedPages = NONE` (default)
+is set.
+
+By enabling this new handler via the site settings, the 403 response
+can be handled and a custom redirect can be performed.
+
+The :php:`RedirectLoginErrorHandler` allows to define a
+:php:`loginRedirectTarget`, which must be configured to the page, where the
+login process is handled. Additionally, the :php:`loginRedirectParameter`
+must be set to the URL parameter that will be used to hand over the original
+URL to the target page.
+
+The redirect is ensures that the original URL is added to the configured GET
+parameter :php:`loginRedirectParameter`, so that the user can be redirected
+back to the original page after a successful login.
+
+The error handler allows :php:`return_url` or :php:`redirect_url` as values
+for :php:`loginRedirectParameter`. Those values are used in extensions like
+`EXT:felogin` or `EXT:oidc`.
+
+..  important::
+
+    Redirection to the originating URL via URI arguments requires that
+    extensions like `EXT:felogin` are configured to allow these redirect modes
+    (for example via
+    :typoscript:`plugin.tx_felogin_login.settings.redirectMode=getpost,loginError`)
+
+The new error handler works (with some minor exceptions) similar to the
+"Forbidden (HTTP Status 403)" handler in TYPO3 extension `EXT:sierrha`.
+It will still emit generic 403 HTTP error messages in certain scenarios,
+like when a user is already logged in, but the permissions are not
+satisfied.
+
+Impact
+======
+
+It is now possible to configure a login redirection process when a user has no
+access to a page and a 403 error is thrown, so that after login the
+originating URL is requested again. Previously, this required custom
+Middlewares or implementations of :php:`PageErrorHandlerInterface`.
+
+.. index:: Frontend, ext:core