[BUGFIX] Check access to folder in FileListController 11/40411/3
authorNicole Cordes <typo3@cordes.co>
Thu, 30 Apr 2015 16:12:27 +0000 (18:12 +0200)
committerNicole Cordes <typo3@cordes.co>
Thu, 16 Jul 2015 09:36:54 +0000 (11:36 +0200)
Currently if a folder isn't accessible for the user, the root folder
is taken as fallback solution. But this folder might be inaccessible as
well. This patch adds an access check for the returned folder and
turns thrown errors into flash messages.

Releases: master, 6.2
Resolves: #66693
Resolves: #56641
Change-Id: I310df8061edc790dde1034a27136365b4253ac7f
Reviewed-on: http://review.typo3.org/40411
Reviewed-by: Stephan GroƟberndt <stephan@grossberndt.de>
Reviewed-by: Nicole Cordes <typo3@cordes.co>
Tested-by: Nicole Cordes <typo3@cordes.co>
typo3/sysext/core/Classes/Resource/Folder.php
typo3/sysext/core/Classes/Resource/ResourceStorage.php
typo3/sysext/filelist/Classes/Controller/FileListController.php
typo3/sysext/filelist/Classes/FileList.php
typo3/sysext/lang/locallang_mod_file_list.xlf

index 8144535..1599382 100644 (file)
@@ -213,9 +213,9 @@ class Folder implements FolderInterface {
         * the given pattern
         *
         * @param array $filterMethods
-        * @param boolean $recursive
-        *
-        * @return integer
+        * @param bool $recursive
+        * @return int
+        * @throws Exception\InsufficientFolderAccessPermissionsException
         */
        public function getFileCount(array $filterMethods = array(), $recursive = FALSE) {
                return count($this->storage->getFileIdentifiersInFolder($this->identifier, TRUE, $recursive));
index 12215c0..e18e7c7 100644 (file)
@@ -725,7 +725,17 @@ class ResourceStorage implements ResourceStorageInterface {
         */
        protected function assureFolderReadPermission(Folder $folder = NULL) {
                if (!$this->checkFolderActionPermission('read', $folder)) {
-                       throw new Exception\InsufficientFolderAccessPermissionsException('You are not allowed to access the given folder', 1375955684);
+                       if ($folder === NULL) {
+                               throw new Exception\InsufficientFolderAccessPermissionsException(
+                                       'You are not allowed to read folders',
+                                       1430657869
+                               );
+                       } else {
+                               throw new Exception\InsufficientFolderAccessPermissionsException(
+                                       'You are not allowed to access the given folder: "' . $folder->getName() . '"',
+                                       1375955684
+                               );
+                       }
                }
        }
 
index 3672240..c0b38d0 100644 (file)
@@ -15,6 +15,8 @@ namespace TYPO3\CMS\Filelist\Controller;
  */
 
 use TYPO3\CMS\Backend\Utility\BackendUtility;
+use TYPO3\CMS\Core\Messaging\FlashMessage;
+use TYPO3\CMS\Core\Resource\Exception;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
 use TYPO3\CMS\Core\Resource\Exception;
 
@@ -164,31 +166,58 @@ class FileListController {
                                $fileStorages = $GLOBALS['BE_USER']->getFileStorages();
                                $fileStorage = reset($fileStorages);
                                if ($fileStorage) {
-                                       // Validating the input "id" (the path, directory!) and
-                                       // checking it against the mounts of the user. - now done in the controller
                                        $this->folderObject = $fileStorage->getRootLevelFolder();
                                } else {
                                        throw new \RuntimeException('Could not find any folder to be displayed.', 1349276894);
                                }
                        }
-               } catch (\TYPO3\CMS\Core\Resource\Exception $fileException) {
+
+                       if ($this->folderObject && !$this->folderObject->getStorage()->isWithinFileMountBoundaries($this->folderObject)) {
+                               throw new \RuntimeException('Folder not accessible.', 1430409089);
+                       }
+               } catch (Exception\InsufficientFolderAccessPermissionsException $permissionException) {
+                       $this->folderObject = NULL;
+                       $this->errorMessage = GeneralUtility::makeInstance('TYPO3\\CMS\\Core\\Messaging\\FlashMessage',
+                               sprintf(
+                                       $GLOBALS['LANG']->getLL('missingFolderPermissionsMessage', TRUE),
+                                       htmlspecialchars($this->id)
+                               ),
+                               $GLOBALS['LANG']->getLL('missingFolderPermissionsTitle', TRUE),
+                               FlashMessage::NOTICE
+                       );
+               } catch (Exception $fileException) {
+                       // Set folder object to null and throw a message later on
+                       $this->folderObject = NULL;
                        // Take the first object of the first storage
                        $fileStorages = $GLOBALS['BE_USER']->getFileStorages();
                        $fileStorage = reset($fileStorages);
-                       if ($fileStorage) {
-                               // Set folder object to null and throw a message later on
+                       if ($fileStorage instanceof \TYPO3\CMS\Core\Resource\ResourceStorage) {
                                $this->folderObject = $fileStorage->getRootLevelFolder();
-                       } else {
-                               $this->folderObject = NULL;
+                               if (!$fileStorage->isWithinFileMountBoundaries($this->folderObject)) {
+                                       $this->folderObject = NULL;
+                               }
                        }
                        $this->errorMessage = GeneralUtility::makeInstance('TYPO3\\CMS\\Core\\Messaging\\FlashMessage',
-                               sprintf($GLOBALS['LANG']->getLL('folderNotFoundMessage', TRUE),
-                                               htmlspecialchars($this->id)
+                               sprintf(
+                                       $GLOBALS['LANG']->getLL('folderNotFoundMessage', TRUE),
+                                       htmlspecialchars($this->id)
                                ),
                                $GLOBALS['LANG']->getLL('folderNotFoundTitle', TRUE),
-                               \TYPO3\CMS\Core\Messaging\FlashMessage::NOTICE
+                               FlashMessage::NOTICE
+                       );
+               } catch (\RuntimeException $e) {
+                       $this->folderObject = NULL;
+                       $this->errorMessage = GeneralUtility::makeInstance('TYPO3\\CMS\\Core\\Messaging\\FlashMessage',
+                               $e->getMessage() . ' (' . $e->getCode() . ')',
+                               $GLOBALS['LANG']->getLL('folderNotFoundTitle', TRUE),
+                               FlashMessage::NOTICE
                        );
                }
+
+               if ($this->folderObject && !$this->folderObject->getStorage()->checkFolderActionPermission('read', $this->folderObject)) {
+                       $this->folderObject = NULL;
+               }
+
                // Configure the "menu" - which is used internally to save the values of sorting, displayThumbs etc.
                $this->menuConfig();
        }
index 3edfad8..415fc58 100644 (file)
@@ -506,7 +506,11 @@ class FileList extends \TYPO3\CMS\Backend\RecordList\AbstractRecordList {
                                        foreach ($this->fieldArray as $field) {
                                                switch ($field) {
                                                        case 'size':
-                                                               $numFiles = $folderObject->getFileCount();
+                                                               try {
+                                                                       $numFiles = $folderObject->getFileCount();
+                                                               } catch (\TYPO3\CMS\Core\Resource\Exception\InsufficientFolderAccessPermissionsException $e) {
+                                                                       $numFiles = 0;
+                                                               }
                                                                $theData[$field] = $numFiles . ' ' . $GLOBALS['LANG']->getLL(($numFiles === 1 ? 'file' : 'files'), TRUE);
                                                                break;
                                                        case 'rw':
index 18b98a1..975e56a 100644 (file)
                        <trans-unit id="storageNotBrowsableMessage" xml:space="preserve">
                                <source>You are trying to access a folder in a storage that is not browsable.</source>
                        </trans-unit>
+                       <trans-unit id="missingFolderPermissionsTitle" xml:space="preserve">
+                               <source>Missing folder permissions</source>
+                       </trans-unit>
+                       <trans-unit id="missingFolderPermissionsMessage" xml:space="preserve">
+                               <source>You have no access to the folder "%s".</source>
+                       </trans-unit>
                        <trans-unit id="folderNotFoundTitle" xml:space="preserve">
                                <source>Folder not found.</source>
                        </trans-unit>