[SECURITY] Refactor and fix FAL user permission handling 97/23597/2
authorHelmut Hummel <helmut.hummel@typo3.org>
Wed, 4 Sep 2013 11:14:05 +0000 (13:14 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Wed, 4 Sep 2013 11:14:12 +0000 (13:14 +0200)
commita7e77220cb3bad1ae83bae415e3ee4d3eda3611b
treed2e18ed229abf7b9f87eb0170d0663274496a4da
parent3ebb905fdf5e0cd37c007989f21965dbe03b4267
[SECURITY] Refactor and fix FAL user permission handling

* User permissions are only applied to storage objects
  that are attached to a member variable of
  BackendUserAuthentication. This is error prone
  and leads to insufficient (no) checks if the code
  fetches a storage directly from the factory
  (like edit document controller does)
  Instead, apply the permissions by using a signal
  in StorageFactory directly after the storage object
  is built.

* Refactor the mount point handling, especially the
  user and group home directories, which was completely
  broken after the introduction of FAL. File mounts
  are now also applied to the storage on creation.

* Make fallback storage 0 read only and not browsable.

Fixes: #51327
Releases: 6.2, 6.1, 6.0
Change-Id: If1fa18486cf051a7f4489e36691d42786386df63
Security-Commit: 936dbaf5d16acd36b668dcf033eb343fc5e2f7bf
Security-Bulletin: TYPO3-CORE-SA-2013-003
Reviewed-on: https://review.typo3.org/23597
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php
typo3/sysext/core/Classes/Resource/ResourceFactory.php
typo3/sysext/core/Classes/Resource/Security/StoragePermissionsAspect.php [new file with mode: 0644]
typo3/sysext/core/ext_localconf.php [new file with mode: 0644]