[BUGFIX] Fix page permissions SQL clause in BackendConfigurationManager 12/48312/2
authorMorton Jonuschat <m.jonuschat@mojocode.de>
Fri, 20 May 2016 04:50:26 +0000 (06:50 +0200)
committerMorton Jonuschat <m.jonuschat@mojocode.de>
Fri, 27 May 2016 09:21:30 +0000 (11:21 +0200)
Instead of passing the simple value "1" to QueryGenerator->getTreeList()
use a page permission clause created using $BE_USER->getPagePermsClause()
when determining the recursive storage pids. Passing the unprocessed value
"1" causes invalid SQL statements and does not perform any access checks.

Releases: master, 7.6
Resolves: #75912
Change-Id: I6edadd627c0a9c01a78c3cb55805455fed710d14
Reviewed-on: https://review.typo3.org/48220
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>
(cherry picked from commit 5b4563b284df88f1eb04aeb54c95cf751bcb3416)
Reviewed-on: https://review.typo3.org/48312

typo3/sysext/extbase/Classes/Configuration/BackendConfigurationManager.php
typo3/sysext/extbase/Tests/Unit/Configuration/BackendConfigurationManagerTest.php

index 486b839..6a0493c 100644 (file)
@@ -230,8 +230,9 @@ class BackendConfigurationManager extends \TYPO3\CMS\Extbase\Configuration\Abstr
 
         $recursiveStoragePids = '';
         $storagePids = \TYPO3\CMS\Core\Utility\GeneralUtility::intExplode(',', $storagePid);
+        $permsClause = $this->getBackendUser()->getPagePermsClause(1);
         foreach ($storagePids as $startPid) {
-            $pids = $this->queryGenerator->getTreeList($startPid, $recursionDepth, 0, 1);
+            $pids = $this->queryGenerator->getTreeList($startPid, $recursionDepth, 0, $permsClause);
             if ((string)$pids !== '') {
                 $recursiveStoragePids .= $pids . ',';
             }
@@ -239,4 +240,12 @@ class BackendConfigurationManager extends \TYPO3\CMS\Extbase\Configuration\Abstr
 
         return rtrim($recursiveStoragePids, ',');
     }
+
+    /**
+     * @return \TYPO3\CMS\Core\Authentication\BackendUserAuthentication
+     */
+    protected function getBackendUser()
+    {
+        return $GLOBALS['BE_USER'];
+    }
 }
index 2eefaa4..638e82a 100644 (file)
@@ -13,6 +13,7 @@ namespace TYPO3\CMS\Extbase\Tests\Unit\Configuration;
  *
  * The TYPO3 project - inspiring people to share!
  */
+use Prophecy\Prophecy\ObjectProphecy;
 
 /**
  * Test case
@@ -337,6 +338,12 @@ class BackendConfigurationManagerTest extends \TYPO3\CMS\Core\Tests\UnitTestCase
     {
         $storagePid = '1,2,3';
         $recursive = 99;
+
+        /** @var \TYPO3\CMS\Core\Authentication\BackendUserAuthentication|ObjectProphecy $beUserAuthentication */
+        $beUserAuthentication = $this->prophesize(\TYPO3\CMS\Core\Authentication\BackendUserAuthentication::class);
+        $beUserAuthentication->getPagePermsClause(1)->willReturn('1=1');
+        $GLOBALS['BE_USER'] = $beUserAuthentication->reveal();
+
         /** @var $abstractConfigurationManager \TYPO3\CMS\Extbase\Configuration\BackendConfigurationManager */
         $abstractConfigurationManager = $this->getAccessibleMock(\TYPO3\CMS\Extbase\Configuration\BackendConfigurationManager::class, array('overrideSwitchableControllerActions', 'getContextSpecificFrameworkConfiguration', 'getTypoScriptSetup', 'getPluginConfiguration', 'getSwitchableControllerActions'));
         $queryGenerator = $this->getMock(\TYPO3\CMS\Core\Database\QueryGenerator::class);
@@ -357,6 +364,12 @@ class BackendConfigurationManagerTest extends \TYPO3\CMS\Core\Tests\UnitTestCase
     {
         $storagePid = '1,2,-3';
         $recursive = 99;
+
+        /** @var \TYPO3\CMS\Core\Authentication\BackendUserAuthentication|ObjectProphecy $beUserAuthentication */
+        $beUserAuthentication = $this->prophesize(\TYPO3\CMS\Core\Authentication\BackendUserAuthentication::class);
+        $beUserAuthentication->getPagePermsClause(1)->willReturn('1=1');
+        $GLOBALS['BE_USER'] = $beUserAuthentication->reveal();
+
         /** @var $abstractConfigurationManager \TYPO3\CMS\Extbase\Configuration\BackendConfigurationManager */
         $abstractConfigurationManager = $this->getAccessibleMock(\TYPO3\CMS\Extbase\Configuration\BackendConfigurationManager::class, array('overrideSwitchableControllerActions', 'getContextSpecificFrameworkConfiguration', 'getTypoScriptSetup', 'getPluginConfiguration', 'getSwitchableControllerActions'));
         $queryGenerator = $this->getMock(\TYPO3\CMS\Core\Database\QueryGenerator::class);