[BUGFIX] Fix page permissions SQL clause in BackendConfigurationManager 20/48220/4
authorMorton Jonuschat <m.jonuschat@mojocode.de>
Fri, 20 May 2016 04:50:26 +0000 (06:50 +0200)
committerMorton Jonuschat <m.jonuschat@mojocode.de>
Fri, 27 May 2016 09:20:10 +0000 (11:20 +0200)
commit5b4563b284df88f1eb04aeb54c95cf751bcb3416
tree830b15981f63e108d7f0aeeb1d0e99d9e86b2f91
parent918ef519e97e98d5d6886d4815ef6feecb2b39ea
[BUGFIX] Fix page permissions SQL clause in BackendConfigurationManager

Instead of passing the simple value "1" to QueryGenerator->getTreeList()
use a page permission clause created using $BE_USER->getPagePermsClause()
when determining the recursive storage pids. Passing the unprocessed value
"1" causes invalid SQL statements and does not perform any access checks.

Releases: master, 7.6
Resolves: #75912
Change-Id: I6edadd627c0a9c01a78c3cb55805455fed710d14
Reviewed-on: https://review.typo3.org/48220
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>
typo3/sysext/extbase/Classes/Configuration/BackendConfigurationManager.php
typo3/sysext/extbase/Tests/Unit/Configuration/BackendConfigurationManagerTest.php