TYPO3 Extbase: CSRF-FormProtection fails for non-admin user in frontend

Question

I have implemented a CSRF protection for my custom TYPO3 extension (according to the documentation) and it's working nicely for non-authenticated frontend visitors and also for backend admins in frontend. A strange thing I noticed is that an error is thrown, if an non-admin backend user tries to use a form in a frontend plugin:

PHP Catchable Fatal Error: Argument 1 passed to TYPO3\CMS\Core\FormProtection\FormProtectionFactory::getMessageClosure() must be an instance of TYPO3\CMS\Lang\LanguageService, null given

I tested using TYPO3 V. 7.6.10 and 7.6.14. The error occurs in both versions.

I took a look at the source code in the FormProtectionFactory and it seems that $GLOBALS['Lang'] is initialized for admin users in the FE, but empty for normal backend users. In BE, both user groups can access other CSRF protected forms.

According to the official reference of the LanguageService, the LanguageService is usually only available in BE:

This class is normally instantiated as the global variable $GLOBALS['LANG'] It's only available in the backend and under certain circumstances in the frontend

Does anyone know what these certain circumstances are? It is of course possible to log off from BE and visit the forms as an unauthenticated user, but this is obviously very annoying. I think that this is expected behaviour, but I don't understand why the issue only occurs for non admins. Maybe someone has an idea, how to make the form available for non-admin backend users in FE, too?

Any help is highly appreciated.

Thanks!

For the sake of completeness, my invocation of the CSRF token generator, but I think that the 'issue' is in TYPO3 itself (or is expected behaviour):

$this->view->assign("csrfToken", FormProtectionFactory::get()->generateToken($this->extensionName,
        $this->controllerContext->getRequest()->getControllerActionName(), $additionalObject));

Answer 1

The TYPO3 devs think that CSRF only applies to users-that-are-logged-in, which is not the case here, and thus CSRF functionality cannot be used at all in the frontend for anonymous users.

See https://forge.typo3.org/issues/77403