[BUGFIX] Make category tree filterable for editors with category mounts 25/54725/3
authorChristoph Lehmann <christoph.lehmann@networkteam.com>
Wed, 13 Sep 2017 21:34:45 +0000 (23:34 +0200)
committerWouter Wolters <typo3@wouterwolters.nl>
Mon, 27 Nov 2017 22:52:19 +0000 (23:52 +0100)
TCEFORM.pages.categories.config.treeConfig.rootUid should filter
the category tree. Non-Admin users with category mounts currently
need every child category of rootUid in their category mounts
since the rootline of rootUid is not checked against the category
mounts.

Resolves: #78274
Releases: master, 8.7
Change-Id: Id02ae69111df7397207939a034ed05797eb160ad
Reviewed-on: https://review.typo3.org/54725
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
typo3/sysext/backend/Classes/Security/CategoryPermissionsAspect.php

index d7aadb8..c5092b3 100644 (file)
@@ -17,7 +17,9 @@ namespace TYPO3\CMS\Backend\Security;
 use TYPO3\CMS\Backend\Tree\TreeNode;
 use TYPO3\CMS\Backend\Tree\TreeNodeCollection;
 use TYPO3\CMS\Core\Authentication\BackendUserAuthentication;
+use TYPO3\CMS\Core\Database\ConnectionPool;
 use TYPO3\CMS\Core\Tree\TableConfiguration\DatabaseTreeDataProvider;
+use TYPO3\CMS\Core\Utility\GeneralUtility;
 
 /**
  * We do not have AOP in TYPO3 for now, thus the aspect which
@@ -64,6 +66,15 @@ class CategoryPermissionsAspect
 
             if (!empty($categoryMountPoints) && !empty($treeNodeCollection)) {
 
+                // Check the rootline against categoryMountPoints when tree was filtered
+                if ($dataProvider->getRootUid() !== null) {
+                    $uidsInRootline = $this->findUidsInRootline($dataProvider->getRootUid());
+                    if (!empty(array_intersect($categoryMountPoints, $uidsInRootline))) {
+                        // One of the parents was found in categoryMountPoints so all children are secure
+                        return;
+                    }
+                }
+
                 // First, remove all child nodes which must be analysed to be considered as "secure".
                 // The nodes were backed up in variable $treeNodeCollection beforehand.
                 $treeData->removeChildNodes();
@@ -117,4 +128,31 @@ class CategoryPermissionsAspect
         }
         return $result;
     }
+
+    /**
+     * Find parent uids in rootline
+     *
+     * @param int $uid
+     * @return array
+     */
+    protected function findUidsInRootline($uid)
+    {
+        /** @var \TYPO3\CMS\Core\Database\Query\QueryBuilder $queryBuilder */
+        $queryBuilder = GeneralUtility::makeInstance(ConnectionPool::class)->getQueryBuilderForTable($this->categoryTableName);
+        $row = $queryBuilder
+            ->select('parent')
+            ->from($this->categoryTableName)
+            ->where(
+                $queryBuilder->expr()->eq('uid', $queryBuilder->createNamedParameter($uid, \PDO::PARAM_INT))
+            )
+            ->execute()
+            ->fetch();
+
+        $parentUids = [];
+        if ($row['parent'] > 0) {
+            $parentUids = $this->findUidsInRootline($row['parent']);
+            $parentUids[] = $row['parent'];
+        }
+        return $parentUids;
+    }
 }