[BUGFIX] AbstractTreeView correct permission handling with non pages 48/38848/2
authorAndreas Allacher <andreas.allacher@gmx.at>
Fri, 20 Feb 2015 08:07:51 +0000 (09:07 +0100)
committerAndreas Fernandez <andreas.fernandez@aspedia.de>
Tue, 21 Apr 2015 13:21:56 +0000 (15:21 +0200)
AbstractTreeView now checks correctly, if a user has permission
to access elements even if they are not pages.

Without this change it was always assumed that the "uid" of the record
is the page uid. However, that is only valid for pages.

Change-Id: I4dd4970fb529ac6ab6f3c79d993456feed225fea
Resolves: #63047
Releases: master, 6.2
Reviewed-on: http://review.typo3.org/38848
Reviewed-by: Andreas Fernandez <andreas.fernandez@aspedia.de>
Tested-by: Andreas Fernandez <andreas.fernandez@aspedia.de>
typo3/sysext/backend/Classes/Tree/View/AbstractTreeView.php

index 8331976..d61bd31 100644 (file)
@@ -146,7 +146,7 @@ abstract class AbstractTreeView {
         * @see addField()
         * @todo Define visibility
         */
-       public $fieldArray = array('uid', 'title');
+       public $fieldArray = array('uid', 'pid', 'title');
 
        /**
         * List of other fields which are ALLOWED to set (here, based on the "pages" table!)
@@ -777,7 +777,8 @@ abstract class AbstractTreeView {
                $idH = array();
                // Traverse the records:
                while ($crazyRecursionLimiter > 0 && ($row = $this->getDataNext($res, $subCSSclass))) {
-                       if (!$GLOBALS['BE_USER']->isInWebMount($row['uid'])) {
+                       $pageUid = ($this->table === 'pages') ? $row['uid'] : $row['pid'];
+                       if (!$GLOBALS['BE_USER']->isInWebMount($pageUid)) {
                                // Current record is not within web mount => skip it
                                continue;
                        }