[BUGFIX] "New page" wizard discloses existence of pages outside DB mount 29/27429/2
authorNicole Cordes <typo3@cordes.co>
Sat, 27 Jul 2013 21:13:06 +0000 (23:13 +0200)
committerStefan Neufeind <typo3.neufeind@speedpartner.de>
Sun, 9 Feb 2014 19:15:25 +0000 (20:15 +0100)
commit101be259796e208058a146da752b7e61345338da
treedbac80728ff8859c9267f41dce5dde4173a21459
parent5f6d78398ce7491cae11973e428e1d9646a1cfe9
[BUGFIX] "New page" wizard discloses existence of pages outside DB mount

When creating a new page inside the top level of a DB mount which is
only a sub tree, the pages up and down from the DB mount root will be
displayed in the position selector if the logged-in user has read
permissions for these pages. This is unwanted information disclosure as
the permissions should not matter for pages which are outside the DB
mount.

Resolves: #18797
Releases: 6.2, 6.1, 6.0
Change-Id: I98008bc7f4308c9fb32dae645325e7cb1b44e413
Reviewed-on: https://review.typo3.org/27429
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind
typo3/sysext/backend/Classes/Tree/View/AbstractTreeView.php
typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php