[BUGFIX] Verify folder access for file mounts of BE users 54/47454/5
authorBenni Mack <benni@typo3.org>
Thu, 31 Mar 2016 08:44:09 +0000 (10:44 +0200)
committerBenni Mack <benni@typo3.org>
Tue, 5 Jul 2016 16:19:33 +0000 (18:19 +0200)
The current implementation does not allow non-admins backend
users to import files as the folder access always returns false
due to the empty $mounts variable inside BasicFileFunc.

As FAL does the permission checks automatically, the logic
from BasicFileFunc is not needed anymore, and can be
accessed directly.

Resolves: #75331
Releases: master
Change-Id: I0211286cc6ae939229a0d7eb45adc89d1600d635
Reviewed-on: https://review.typo3.org/47454
Reviewed-by: Nicole Cordes <typo3@cordes.co>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
typo3/sysext/impexp/Classes/Import.php
typo3/sysext/impexp/Classes/ImportExport.php

index df9cf45..f78ec58 100644 (file)
@@ -18,6 +18,7 @@ use TYPO3\CMS\Backend\Utility\BackendUtility;
 use TYPO3\CMS\Core\Database\ConnectionPool;
 use TYPO3\CMS\Core\DataHandling\DataHandler;
 use TYPO3\CMS\Core\Exception;
+use TYPO3\CMS\Core\Resource\Exception\InsufficientFolderAccessPermissionsException;
 use TYPO3\CMS\Core\Resource\File;
 use TYPO3\CMS\Core\Resource\FileInterface;
 use TYPO3\CMS\Core\Resource\ResourceFactory;
@@ -1590,9 +1591,13 @@ class Import extends ImportExport
             return false;
         }
         // Just for security, check again. Should actually not be necessary.
-        if (!$fileProcObj->checkPathAgainstMounts($fileName) && !$bypassMountCheck) {
-            $this->error('ERROR: Filename "' . $fileName . '" was not allowed in destination path!');
-            return false;
+        if (!$bypassMountCheck) {
+            try {
+                ResourceFactory::getInstance()->getFolderObjectFromCombinedIdentifier(dirname($fileName));
+            } catch (InsufficientFolderAccessPermissionsException $e) {
+                $this->error('ERROR: Filename "' . $fileName . '" was not allowed in destination path!');
+                return false;
+            }
         }
         $fI = GeneralUtility::split_fileref($fileName);
         if (!$fileProcObj->checkIfAllowed($fI['fileext'], $fI['path'], $fI['file']) && (!$this->allowPHPScripts || !$this->getBackendUser()->isAdmin())) {
index f4fc27f..49b1209 100644 (file)
@@ -18,6 +18,8 @@ use TYPO3\CMS\Backend\Utility\BackendUtility;
 use TYPO3\CMS\Core\Authentication\BackendUserAuthentication;
 use TYPO3\CMS\Core\Imaging\Icon;
 use TYPO3\CMS\Core\Imaging\IconFactory;
+use TYPO3\CMS\Core\Resource\Exception\InsufficientFolderAccessPermissionsException;
+use TYPO3\CMS\Core\Resource\ResourceFactory;
 use TYPO3\CMS\Core\Utility\DebugUtility;
 use TYPO3\CMS\Core\Utility\DiffUtility;
 use TYPO3\CMS\Core\Utility\ExtensionManagementUtility;
@@ -939,26 +941,22 @@ abstract class ImportExport
      */
     public function verifyFolderAccess($dirPrefix, $noAlternative = false)
     {
-        $fileProcObj = $this->getFileProcObj();
-        // Check, if dirPrefix is inside a valid Filemount for user:
-        $result = $fileProcObj->checkPathAgainstMounts(PATH_site . $dirPrefix);
-        // If not, try to find another relative filemount and use that instead:
-        if (!$result) {
-            if ($noAlternative) {
-                return false;
-            }
-            // Find first web folder:
-            $result = $fileProcObj->findFirstWebFolder();
-            // If that succeeded, return the path to it:
-            if ($result) {
-                // Remove the "fileadmin/" prefix of input path - and append the rest to the return value:
-                if (GeneralUtility::isFirstPartOfStr($dirPrefix, $this->fileadminFolderName . '/')) {
-                    $dirPrefix = substr($dirPrefix, strlen($this->fileadminFolderName . '/'));
+        // Check the absolute path for PATH_site, if the user has access - no problem
+        try {
+            ResourceFactory::getInstance()->getFolderObjectFromCombinedIdentifier($dirPrefix);
+            return $dirPrefix;
+        } catch (InsufficientFolderAccessPermissionsException $e) {
+            // Check all storages available for the user as alternative
+            if (!$noAlternative) {
+                $fileStorages = $this->getBackendUser()->getFileStorages();
+                foreach ($fileStorages as $fileStorage) {
+                    try {
+                        $folder = $fileStorage->getFolder(rtrim($dirPrefix, '/'));
+                        return $folder->getPublicUrl();
+                    } catch (InsufficientFolderAccessPermissionsException $e) {
+                    }
                 }
-                return PathUtility::stripPathSitePrefix($fileProcObj->mounts[$result]['path'] . $dirPrefix);
             }
-        } else {
-            return $dirPrefix;
         }
         return false;
     }