[BUGFIX] Only access FAL security checks when in Backend 44/54344/2
authorBenni Mack <benni@typo3.org>
Fri, 6 Oct 2017 15:34:52 +0000 (17:34 +0200)
committerBenni Mack <benni@typo3.org>
Tue, 10 Oct 2017 08:15:47 +0000 (10:15 +0200)
The FAL security checks which adds additional checks for Backend Users
are currently placed within TYPO3_MODE === BE which applies to CLI as well.

In order to even use the FAL API via CLI, a user has to be authenticated (just for
browsing files). Therefore, the check needs to be handled via TYPO3_REQUEST_TYPE
which excludes symfony commands on CLI basis.

Additionally, the REQUEST TYPE checks are handled within the Slot and not
when to register the hook (see other cleanup patch as well).

Resolves: #82691
Releases: master, 8.7
Change-Id: I7b895a119a17ea166331eb1dbcb75e57fffbd388
Reviewed-on: https://review.typo3.org/54344
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
typo3/sysext/backend/Classes/Security/CategoryPermissionsAspect.php
typo3/sysext/backend/ext_localconf.php
typo3/sysext/core/Classes/Resource/Security/StoragePermissionsAspect.php
typo3/sysext/core/ext_localconf.php

index 3154e5a..65648ba 100644 (file)
@@ -47,14 +47,14 @@ class CategoryPermissionsAspect
     }
 
     /**
-     * The slot for the signal in DatabaseTreeDataProvider.
+     * The slot for the signal in DatabaseTreeDataProvider, which only affects the TYPO3 Backend
      *
      * @param DatabaseTreeDataProvider $dataProvider
      * @param TreeNode $treeData
      */
     public function addUserPermissionsToCategoryTreeData(DatabaseTreeDataProvider $dataProvider, $treeData)
     {
-        if (!$this->backendUserAuthentication->isAdmin() && $dataProvider->getTableName() === $this->categoryTableName) {
+        if ((TYPO3_REQUESTTYPE & TYPO3_REQUESTTYPE_BE) && !$this->backendUserAuthentication->isAdmin() && $dataProvider->getTableName() === $this->categoryTableName) {
 
             // Get User permissions related to category
             $categoryMountPoints = $this->backendUserAuthentication->getCategoryMountPoints();
index 52191c9..c059718 100644 (file)
@@ -1,14 +1,15 @@
 <?php
 defined('TYPO3_MODE') or die();
 
-if (TYPO3_MODE === 'BE') {
-    \TYPO3\CMS\Core\Utility\GeneralUtility::makeInstance(\TYPO3\CMS\Extbase\SignalSlot\Dispatcher::class)->connect(
-        \TYPO3\CMS\Core\Tree\TableConfiguration\DatabaseTreeDataProvider::class,
-        \TYPO3\CMS\Core\Tree\TableConfiguration\DatabaseTreeDataProvider::SIGNAL_PostProcessTreeData,
-        \TYPO3\CMS\Backend\Security\CategoryPermissionsAspect::class,
-        'addUserPermissionsToCategoryTreeData'
-    );
+// sys_category tree check, which only affects Backend Users
+\TYPO3\CMS\Core\Utility\GeneralUtility::makeInstance(\TYPO3\CMS\Extbase\SignalSlot\Dispatcher::class)->connect(
+    \TYPO3\CMS\Core\Tree\TableConfiguration\DatabaseTreeDataProvider::class,
+    \TYPO3\CMS\Core\Tree\TableConfiguration\DatabaseTreeDataProvider::SIGNAL_PostProcessTreeData,
+    \TYPO3\CMS\Backend\Security\CategoryPermissionsAspect::class,
+    'addUserPermissionsToCategoryTreeData'
+);
 
+if (TYPO3_MODE === 'BE') {
     $GLOBALS['TYPO3_CONF_VARS']['BE']['toolbarItems'][1435433106] = \TYPO3\CMS\Backend\Backend\ToolbarItems\ClearCacheToolbarItem::class;
     $GLOBALS['TYPO3_CONF_VARS']['BE']['toolbarItems'][1435433107] = \TYPO3\CMS\Backend\Backend\ToolbarItems\HelpToolbarItem::class;
     $GLOBALS['TYPO3_CONF_VARS']['BE']['toolbarItems'][1435433108] = \TYPO3\CMS\Backend\Backend\ToolbarItems\LiveSearchToolbarItem::class;
index d67db11..8d7a5d7 100644 (file)
@@ -60,7 +60,7 @@ class StoragePermissionsAspect
      */
     public function addUserPermissionsToStorage(ResourceFactory $resourceFactory, ResourceStorage $storage)
     {
-        if (!$this->backendUserAuthentication->isAdmin()) {
+        if ((TYPO3_REQUESTTYPE & TYPO3_REQUESTTYPE_BE) && !$this->backendUserAuthentication->isAdmin()) {
             $storage->setEvaluatePermissions(true);
             if ($storage->getUid() > 0) {
                 $storage->setUserPermissions($this->backendUserAuthentication->getFilePermissionsForStorage($storage));
index 89fc87c..bda8eb4 100644 (file)
@@ -4,14 +4,15 @@ defined('TYPO3_MODE') or die();
 /** @var \TYPO3\CMS\Extbase\SignalSlot\Dispatcher $signalSlotDispatcher */
 $signalSlotDispatcher = \TYPO3\CMS\Core\Utility\GeneralUtility::makeInstance(\TYPO3\CMS\Extbase\SignalSlot\Dispatcher::class);
 
+// FAL security checks for backend users
+$signalSlotDispatcher->connect(
+    \TYPO3\CMS\Core\Resource\ResourceFactory::class,
+    \TYPO3\CMS\Core\Resource\ResourceFactoryInterface::SIGNAL_PostProcessStorage,
+    \TYPO3\CMS\Core\Resource\Security\StoragePermissionsAspect::class,
+    'addUserPermissionsToStorage'
+);
+
 if (TYPO3_MODE === 'BE' && !(TYPO3_REQUESTTYPE & TYPO3_REQUESTTYPE_INSTALL)) {
-    // FAL SECURITY CHECKS
-    $signalSlotDispatcher->connect(
-        \TYPO3\CMS\Core\Resource\ResourceFactory::class,
-        \TYPO3\CMS\Core\Resource\ResourceFactoryInterface::SIGNAL_PostProcessStorage,
-        \TYPO3\CMS\Core\Resource\Security\StoragePermissionsAspect::class,
-        'addUserPermissionsToStorage'
-    );
     $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_tcemain.php']['processDatamapClass'][] = \TYPO3\CMS\Core\Resource\Security\FileMetadataPermissionsAspect::class;
     $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_tcemain.php']['processDatamapClass'][] = \TYPO3\CMS\Core\Hooks\BackendUserGroupIntegrityCheck::class;
     $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['typo3/alt_doc.php']['makeEditForm_accessCheck'][] = \TYPO3\CMS\Core\Resource\Security\FileMetadataPermissionsAspect::class . '->isAllowedToShowEditForm';