[SECURITY] Refactor and fix FAL user permission handling 03/23603/2
authorHelmut Hummel <helmut.hummel@typo3.org>
Wed, 4 Sep 2013 11:23:22 +0000 (13:23 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Wed, 4 Sep 2013 11:23:26 +0000 (13:23 +0200)
commitdbc76c7c4e9aa2b43941ae36cbe8d591a8064485
tree8564eed8b5e747387ebc9d21633cd9d5895184ae
parentae6e108fc168a229870fcff6af06583ae5da428d
[SECURITY] Refactor and fix FAL user permission handling

* User permissions are only applied to storage objects
  that are attached to a member variable of
  BackendUserAuthentication. This is error prone
  and leads to insufficient (no) checks if the code
  fetches a storage directly from the factory
  (like edit document controller does)
  Instead, apply the permissions by using a signal
  in StorageFactory directly after the storage object
  is built.

* Refactor the mount point handling, especially the
  user and group home directories, which was completely
  broken after the introduction of FAL. File mounts
  are now also applied to the storage on creation.

* Make fallback storage 0 read only and not browsable.

Change-Id: I5987cc760581f8dabd12b6f0162645eaa687edea
Fixes: #51327
Releases: 6.2, 6.1, 6.0
Security-Commit: 5460c76e1373698bde82883ab4087607fee5e6f5
Security-Bulletin: TYPO3-CORE-SA-2013-003
Reviewed-on: https://review.typo3.org/23603
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php
typo3/sysext/core/Classes/Resource/ResourceFactory.php
typo3/sysext/core/Classes/Resource/Security/StoragePermissionsAspect.php [new file with mode: 0644]
typo3/sysext/core/ext_localconf.php [new file with mode: 0644]