[BUGFIX] BE checkFullLanguagesAccess check all translated records 65/58765/2
authorBenni Mack <benni@typo3.org>
Sun, 28 Oct 2018 14:12:11 +0000 (15:12 +0100)
committerBenni Mack <benni@typo3.org>
Sun, 28 Oct 2018 14:56:52 +0000 (15:56 +0100)
All translated records are checked for language access in the method
checkFullLanguagesAccess of BackendUserAuthentication

Resolves: #86778
Releases: master, 8.7
Change-Id: I9c0101507c741471a8537a92329a9a66b78fa559
Reviewed-on: https://review.typo3.org/58765
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php

index 4712de8..73cffc7 100644 (file)
@@ -685,8 +685,10 @@ class BackendUserAuthentication extends AbstractUserAuthentication
      */
     public function checkFullLanguagesAccess($table, $record)
     {
-        $recordLocalizationAccess = $this->checkLanguageAccess(0);
-        if ($recordLocalizationAccess && (BackendUtility::isTableLocalizable($table) || $table === 'pages')) {
+        if (!$this->checkLanguageAccess(0)) {
+            return false;
+        }
+        if (BackendUtility::isTableLocalizable($table) || $table === 'pages') {
             if ($table === 'pages') {
                 $l10nTable = 'pages_language_overlay';
                 $pointerField = $GLOBALS['TCA'][$l10nTable]['ctrl']['transOrigPointerField'];
@@ -703,7 +705,7 @@ class BackendUserAuthentication extends AbstractUserAuthentication
                 ->add(GeneralUtility::makeInstance(DeletedRestriction::class))
                 ->add(GeneralUtility::makeInstance(BackendWorkspaceRestriction::class));
 
-            $recordLocalization = $queryBuilder->select('*')
+            $recordLocalizations = $queryBuilder->select('*')
                 ->from($l10nTable)
                 ->where(
                     $queryBuilder->expr()->eq(
@@ -711,18 +713,16 @@ class BackendUserAuthentication extends AbstractUserAuthentication
                         $queryBuilder->createNamedParameter($pointerValue, \PDO::PARAM_INT)
                     )
                 )
-                ->setMaxResults(1)
                 ->execute()
-                ->fetch();
+                ->fetchAll();
 
-            if (is_array($recordLocalization)) {
-                $languageAccess = $this->checkLanguageAccess(
-                    $recordLocalization[$GLOBALS['TCA'][$l10nTable]['ctrl']['languageField']]
-                );
-                $recordLocalizationAccess = $recordLocalizationAccess && $languageAccess;
+            foreach ($recordLocalizations as $recordLocalization) {
+                if (!$this->checkLanguageAccess($recordLocalization[$GLOBALS['TCA'][$l10nTable]['ctrl']['languageField']])) {
+                    return false;
+                }
             }
         }
-        return $recordLocalizationAccess;
+        return true;
     }
 
     /**