[BUGFIX] "New page" wizard discloses existence of pages outside DB mount 32/22632/5
authorNicole Cordes <typo3@cordes.co>
Sat, 27 Jul 2013 21:13:06 +0000 (23:13 +0200)
committerStefan Neufeind <typo3.neufeind@speedpartner.de>
Fri, 7 Feb 2014 21:52:16 +0000 (22:52 +0100)
commitc59d89f809898784aaedd507db61a4d380bc27a8
tree5bb90eb7f7912e58ad377b6fba3cf21bd6687807
parentc0445c6caf03d6b76ac3b81640396f08a183fe8a
[BUGFIX] "New page" wizard discloses existence of pages outside DB mount

When creating a new page inside the top level of a DB mount which is
only a sub tree, the pages up and down from the DB mount root will be
displayed in the position selector if the logged-in user has read
permissions for these pages. This is unwanted information disclosure as
the permissions should not matter for pages which are outside the DB
mount.

Resolves: #18797
Releases: 6.2, 6.1, 6.0
Change-Id: I98008bc7f4308c9fb32dae645325e7cb1b44e413
Reviewed-on: https://review.typo3.org/22632
Reviewed-by: Markus Klein
Reviewed-by: Xavier Perseguers
Reviewed-by: Wouter Wolters
Tested-by: Markus Klein
Reviewed-by: Marcin SÄ…gol
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind
typo3/sysext/backend/Classes/Tree/View/AbstractTreeView.php
typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php