[TASK] Clean up user permission checking in FE request handling 00/55900/2
authorBenni Mack <benni@typo3.org>
Mon, 26 Feb 2018 06:56:02 +0000 (07:56 +0100)
committerBenni Mack <benni@typo3.org>
Mon, 26 Feb 2018 09:34:52 +0000 (10:34 +0100)
The PHP code for checking if a backend user is allowed to preview
a page should use the Permission bitmask.

Additionally, the check extPageReadAccess() is a sub-method
of FrontendBackendUserAuthentication object, which checks the webmount
and the page permissions, however, "doesUserHaveAccess" also
checks for the webmount availability.

Resolves: #84042
Releases: master
Change-Id: Ibf8795d41bf9e624c64e07ee6ead34d741fb0bc2
Reviewed-on: https://review.typo3.org/55900
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Joerg Boesche <typo3@joergboesche.de>
Tested-by: Joerg Boesche <typo3@joergboesche.de>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php
typo3/sysext/frontend/Classes/Http/RequestHandler.php

index 1ea5b75..7c920aa 100644 (file)
@@ -1124,14 +1124,12 @@ class TypoScriptFrontendController implements LoggerAwareInterface
         // Now, get the id, validate access etc:
         $this->fetch_the_id();
         // Check if backend user has read access to this page. If not, recalculate the id.
-        if ($this->beUserLogin && $this->fePreview) {
-            if (!$backendUser->doesUserHaveAccess($this->page, 1)) {
-                // Resetting
-                $this->clear_preview();
-                $this->fe_user->user = $originalFrontendUser;
-                // Fetching the id again, now with the preview settings reset.
-                $this->fetch_the_id();
-            }
+        if ($this->beUserLogin && $this->fePreview && !$backendUser->doesUserHaveAccess($this->page, Permission::PAGE_SHOW)) {
+            // Resetting
+            $this->clear_preview();
+            $this->fe_user->user = $originalFrontendUser;
+            // Fetching the id again, now with the preview settings reset.
+            $this->fetch_the_id();
         }
         // Checks if user logins are blocked for a certain branch and if so, will unset user login and re-fetch ID.
         $this->loginAllowedInBranch = $this->checkIfLoginAllowedInBranch();
index dd5b932..f323914 100644 (file)
@@ -24,6 +24,7 @@ use TYPO3\CMS\Core\Http\NullResponse;
 use TYPO3\CMS\Core\Http\RequestHandlerInterface;
 use TYPO3\CMS\Core\Http\Response;
 use TYPO3\CMS\Core\TimeTracker\TimeTracker;
+use TYPO3\CMS\Core\Type\Bitmask\Permission;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
 use TYPO3\CMS\Frontend\Controller\TypoScriptFrontendController;
 use TYPO3\CMS\Frontend\Page\PageGenerator;
@@ -79,7 +80,7 @@ class RequestHandler implements RequestHandlerInterface, PsrRequestHandlerInterf
 
         // Now, if there is a backend user logged in and he has NO access to this page,
         // then re-evaluate the id shown!.
-        if ($controller->isBackendUserLoggedIn() && !$GLOBALS['BE_USER']->extPageReadAccess($controller->page)) {
+        if ($controller->isBackendUserLoggedIn() && !$GLOBALS['BE_USER']->doesUserHaveAccess($controller->page, Permission::PAGE_SHOW)) {
             // Remove user
             unset($GLOBALS['BE_USER']);
             $controller->beUserLogin = false;