[BUGFIX] AbstractTreeView correct permission handling with non pages 34/37034/7
authorAndreas Allacher <andreas.allacher@gmx.at>
Fri, 20 Feb 2015 08:07:51 +0000 (09:07 +0100)
committerAndreas Fernandez <andreas.fernandez@aspedia.de>
Tue, 21 Apr 2015 13:21:29 +0000 (15:21 +0200)
AbstractTreeView now checks correctly, if a user has permission
to access elements even if they are not pages.

Without this change it was always assumed that the "uid" of the record
is the page uid. However, that is only valid for pages.

Change-Id: I4dd4970fb529ac6ab6f3c79d993456feed225fea
Resolves: #63047
Releases: master, 6.2
Reviewed-on: http://review.typo3.org/37034
Reviewed-by: Markus Klein <klein.t3@reelworx.at>
Tested-by: Markus Klein <klein.t3@reelworx.at>
Reviewed-by: Andreas Fernandez <andreas.fernandez@aspedia.de>
Tested-by: Andreas Fernandez <andreas.fernandez@aspedia.de>
typo3/sysext/backend/Classes/Tree/View/AbstractTreeView.php

index f6191af..e3b2752 100644 (file)
@@ -145,7 +145,7 @@ abstract class AbstractTreeView {
         * @see addField()
         * @var array
         */
-       public $fieldArray = array('uid', 'title');
+       public $fieldArray = array('uid', 'pid', 'title');
 
        /**
         * List of other fields which are ALLOWED to set (here, based on the "pages" table!)
@@ -747,7 +747,8 @@ abstract class AbstractTreeView {
                $idH = array();
                // Traverse the records:
                while ($crazyRecursionLimiter > 0 && ($row = $this->getDataNext($res, $subCSSclass))) {
-                       if (!$GLOBALS['BE_USER']->isInWebMount($row['uid'])) {
+                       $pageUid = ($this->table === 'pages') ? $row['uid'] : $row['pid'];
+                       if (!$GLOBALS['BE_USER']->isInWebMount($pageUid)) {
                                // Current record is not within web mount => skip it
                                continue;
                        }