[BUGFIX] Fix page permissions SQL clause in BackendConfigurationManager 12/48312/2
authorMorton Jonuschat <m.jonuschat@mojocode.de>
Fri, 20 May 2016 04:50:26 +0000 (06:50 +0200)
committerMorton Jonuschat <m.jonuschat@mojocode.de>
Fri, 27 May 2016 09:21:30 +0000 (11:21 +0200)
commit81cd2a083e4ffd33b8fb0ac906cf361459acd6a1
tree74191d7b41522cc51752d611e0f1942e6fc4e453
parent8cd9228d43ff66311bd00dc08b3f6b279cf21319
[BUGFIX] Fix page permissions SQL clause in BackendConfigurationManager

Instead of passing the simple value "1" to QueryGenerator->getTreeList()
use a page permission clause created using $BE_USER->getPagePermsClause()
when determining the recursive storage pids. Passing the unprocessed value
"1" causes invalid SQL statements and does not perform any access checks.

Releases: master, 7.6
Resolves: #75912
Change-Id: I6edadd627c0a9c01a78c3cb55805455fed710d14
Reviewed-on: https://review.typo3.org/48220
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>
(cherry picked from commit 5b4563b284df88f1eb04aeb54c95cf751bcb3416)
Reviewed-on: https://review.typo3.org/48312
typo3/sysext/extbase/Classes/Configuration/BackendConfigurationManager.php
typo3/sysext/extbase/Tests/Unit/Configuration/BackendConfigurationManagerTest.php