[BUGFIX] Respect allowed_languages for restricted backend users 27/44627/6
authorAndreas Fernandez <a.fernandez@scripting-base.de>
Mon, 9 Nov 2015 09:52:13 +0000 (10:52 +0100)
committerHelmut Hummel <helmut.hummel@typo3.org>
Mon, 9 Nov 2015 16:39:28 +0000 (17:39 +0100)
Fix the broken SQL query and remove disallowed system languages for
restricted backend users.

Resolves: #71433
Releases: master
Change-Id: Icff5b13dfd9f17fd6b570ce8bd370e15522f7bac
Reviewed-on: https://review.typo3.org/44627
Reviewed-by: Andreas Allacher <andreas.allacher@gmx.at>
Reviewed-by: Mathias Schreiber <mathias.schreiber@wmdb.de>
Tested-by: Mathias Schreiber <mathias.schreiber@wmdb.de>
Tested-by: Andreas Allacher <andreas.allacher@gmx.at>
Reviewed-by: Helmut Hummel <helmut.hummel@typo3.org>
Tested-by: Helmut Hummel <helmut.hummel@typo3.org>
typo3/sysext/backend/Classes/Controller/Page/LocalizationController.php

index 7a11155..8d9592e 100644 (file)
@@ -60,15 +60,16 @@ class LocalizationController
         $colPos = (int)$params['colPos'];
         $languageId = (int)$params['languageId'];
         $databaseConnection = $this->getDatabaseConnection();
+        $backendUser = $this->getBackendUser();
 
         /** @var TranslationConfigurationProvider $translationProvider */
         $translationProvider = GeneralUtility::makeInstance(TranslationConfigurationProvider::class);
         $systemLanguages = $translationProvider->getSystemLanguages($pageId);
+
         $availableLanguages = [];
         $availableLanguages[0] = $systemLanguages[0];
 
         $excludeQueryPart = BackendUtility::deleteClause('tt_content')
-            . ($this->getBackendUser()->isAdmin() ? '' : ' AND sys_language.hidden=0')
             . BackendUtility::versioningPlaceholderClause('tt_content');
 
         // First check whether column is empty and then load additional languages
@@ -80,6 +81,14 @@ class LocalizationController
                 . ' AND tt_content.pid=' . $pageId
                 . $excludeQueryPart
         );
+        $additionalWhere = '';
+        if (!$backendUser->isAdmin()) {
+            $additionalWhere .= ' AND sys_language.hidden=0';
+
+            if (!empty($backendUser->user['allowed_languages'])) {
+                $additionalWhere .= ' AND sys_language.uid IN(' . $databaseConnection->cleanIntList($backendUser->user['allowed_languages']) . ')';
+            }
+        }
         if ($elementsInColumnCount === 0) {
             $res = $databaseConnection->exec_SELECTquery(
                 'sys_language.uid',
@@ -88,11 +97,13 @@ class LocalizationController
                     . ' AND tt_content.colPos = ' . $colPos
                     . ' AND tt_content.pid=' . $pageId
                     . ' AND sys_language.uid <> ' . $languageId
+                    . $additionalWhere
                     . $excludeQueryPart,
                 'tt_content.sys_language_uid',
                 'sys_language.title'
             );
             while ($row = $databaseConnection->sql_fetch_assoc($res)) {
+                $row['uid'] = (int)$row['uid'];
                 if (isset($systemLanguages[$row['uid']])) {
                     $availableLanguages[] = $systemLanguages[$row['uid']];
                 }