Skip to content

Bug: Plugin validation ignores Admin Panel visibility context #680

New issue
New issue
Open
Bug
Open
Bug: Plugin validation ignores Admin Panel visibility context#680
Bug
Milestone
12.x
@pulponair

Description

@pulponair
pulponair
opened on Nov 20, 2025

Bug: Plugin validation ignores Admin Panel visibility context

Extension: femanager
Version: 8.3.1
TYPO3: 12.x

Description

When submitting the registration form, femanager validates whether the target action is allowed by checking if a matching plugin is present on the current page. The lookup is performed via QueryBuilder and does not consider Admin Panel preview visibility settings.

If the femanager plugin is hidden in the backend but visible in the frontend due to enabled Admin Panel options (e.g., "Show hidden records"), the validation fails and the form submission aborts with an exception.

Steps to reproduce

  1. Place a femanager plugin on a page and mark the content element as hidden.
  2. Activate the TYPO3 Admin Panel in the frontend.
  3. Enable preview options such as Show hidden records.
  4. Open the registration form and submit valid data.
  5. Femanager throws: LogicException('PluginName is not allowed', 1683551467)

Affected Code

In2code\Femanager\Domain\Validator\AbstractValidator::checkAllowedPluginName()
In2code\Femanager\Domain\Repository\PluginRepository::isPluginWithViewOnGivenPage()

QueryBuilder currently enforces strict matches and ignores Admin Panel preview context:

$queryBuilder->expr()->eq('pid', ...)
$queryBuilder->expr()->eq('CType', ...)

Expected behavior

If a plugin is visible in the frontend due to the user's Admin Panel preview settings, the validation should recognize it as valid and not throw an exception.

Suggested approach

Adopt TYPO3 Context API when validating plugin visibility. Example aspects to consider:

$context = GeneralUtility::makeInstance(Context::class);
$isPreview = $context->getPropertyFromAspect('frontend.preview', 'isPreview');
$includeHiddenContent = $context->getPropertyFromAspect('visibility', 'includeHiddenContent');

If relevant preview flags are active, femanager should:

  • temporarily disable enableFields restrictions, e.g.:
$queryBuilder->getRestrictions()->removeAll();
  • or resolve visibility using PageRepository or TYPO3 internal rendering context instead of a raw DB lookup.

Impact

Users with Admin Panel enabled cannot complete frontend registration if the plugin is hidden but visible due to preview settings.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    Bug

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions