[BUGFIX] Check webmounts for backend user in workspace preview 32/44832/4
authorNicole Cordes <typo3@cordes.co>
Fri, 20 Nov 2015 15:36:45 +0000 (16:36 +0100)
committerMarkus Klein <markus.klein@typo3.org>
Sun, 22 Nov 2015 12:01:50 +0000 (13:01 +0100)
This patch adds a check if the current backend user used for workspace
authentication has access to the current requested page. If the user
doesn't have access the workspace version of that page can't be displayed
and the live version is shown instead.

Resolves: #71734
Releases: master, 6.2
Change-Id: I66b79f9ee36ed3037729dceedd9410ccd85880f4
Reviewed-on: https://review.typo3.org/44832
Reviewed-by: Mathias Schreiber <mathias.schreiber@wmdb.de>
Tested-by: Mathias Schreiber <mathias.schreiber@wmdb.de>
Reviewed-by: Stefan Neufeind <typo3.neufeind@speedpartner.de>
Reviewed-by: Nicole Cordes <typo3@cordes.co>
Tested-by: Nicole Cordes <typo3@cordes.co>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
typo3/sysext/version/Classes/Hook/PreviewHook.php

index 3bb5d1e..c862669 100644 (file)
@@ -14,7 +14,9 @@ namespace TYPO3\CMS\Version\Hook;
  * The TYPO3 project - inspiring people to share!
  */
 
+use TYPO3\CMS\Backend\FrontendBackendUserAuthentication;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
+use TYPO3\CMS\Core\Utility\MathUtility;
 
 /**
  * Hook for checking if the preview mode is activated
@@ -92,9 +94,12 @@ class PreviewHook implements \TYPO3\CMS\Core\SingletonInterface
      */
     public function initializePreviewUser(&$params, &$pObj)
     {
-        if ((is_null($params['BE_USER']) || $params['BE_USER'] === false) && $this->previewConfiguration !== false && $this->previewConfiguration['BEUSER_uid'] > 0) {
+        if ((is_null($params['BE_USER']) || $params['BE_USER'] === false)
+            && $this->previewConfiguration !== false
+            && $this->previewConfiguration['BEUSER_uid'] > 0
+        ) {
             // New backend user object
-            $BE_USER = GeneralUtility::makeInstance(\TYPO3\CMS\Backend\FrontendBackendUserAuthentication::class);
+            $BE_USER = GeneralUtility::makeInstance(FrontendBackendUserAuthentication::class);
             $BE_USER->userTS_dontGetCached = 1;
             $BE_USER->setBeUserByUid($this->previewConfiguration['BEUSER_uid']);
             $BE_USER->unpack_uc('');
@@ -110,8 +115,15 @@ class PreviewHook implements \TYPO3\CMS\Core\SingletonInterface
         // if there is a valid BE user, and the full workspace should be
         // previewed, the workspacePreview option shouldbe set
         $workspaceUid = $this->previewConfiguration['fullWorkspace'];
-        if ($pObj->beUserLogin && is_object($params['BE_USER']) && \TYPO3\CMS\Core\Utility\MathUtility::canBeInterpretedAsInteger($workspaceUid)) {
-            if ($workspaceUid == 0 || $workspaceUid >= -1 && $params['BE_USER']->checkWorkspace($workspaceUid)) {
+        if ($pObj->beUserLogin
+            && is_object($params['BE_USER'])
+            && MathUtility::canBeInterpretedAsInteger($workspaceUid)
+        ) {
+            if ($workspaceUid == 0
+                || $workspaceUid >= -1
+                && $params['BE_USER']->checkWorkspace($workspaceUid)
+                && $params['BE_USER']->isInWebMount($pObj->id)
+            ) {
                 // Check Access to workspace. Live (0) is OK to preview for all.
                 $pObj->workspacePreview = (int)$workspaceUid;
             } else {