[BUGFIX] Check folder permission for default upload folder 81/37481/4
authorNicole Cordes <typo3@cordes.co>
Tue, 3 Mar 2015 08:23:31 +0000 (09:23 +0100)
committerMarkus Klein <klein.t3@reelworx.at>
Wed, 25 Mar 2015 11:09:20 +0000 (12:09 +0100)
The default upload folder has to be writable to add new files.
Do not return a default folder if the user does not have add permissions for it.

Releases: master, 6.2
Resolves: #59589
Change-Id: Iacb7fa8b9b9bdbcb6788485f12f1db00d42b34ae
Reviewed-on: http://review.typo3.org/37481
Reviewed-by: Helmut Hummel <helmut.hummel@typo3.org>
Tested-by: Helmut Hummel <helmut.hummel@typo3.org>
Reviewed-by: Nicole Cordes <typo3@cordes.co>
Tested-by: Nicole Cordes <typo3@cordes.co>
Reviewed-by: Jan Helke <typo3@helke.de>
Reviewed-by: Frans Saris <franssaris@gmail.com>
Tested-by: Markus Klein <klein.t3@reelworx.at>
typo3/sysext/backend/Classes/Form/Element/InlineElement.php
typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php

index 8e54625..a475e12 100644 (file)
@@ -995,10 +995,7 @@ class InlineElement {
                $isDirectFileUploadEnabled = (bool)$this->getBackendUserAuthentication()->uc['edit_docModuleUpload'];
                if ($showUpload && $isDirectFileUploadEnabled) {
                        $folder = $GLOBALS['BE_USER']->getDefaultUploadFolder();
-                       if (
-                               $folder instanceof \TYPO3\CMS\Core\Resource\Folder
-                               && $folder->checkActionPermission('add')
-                       ) {
+                       if ($folder instanceof \TYPO3\CMS\Core\Resource\Folder) {
                                $maxFileSize = GeneralUtility::getMaxUploadFileSize() * 1024;
                                $item .= ' <a href="#" class="btn btn-default t3-drag-uploader"
                                        style="display:none"
index 85d5b75..b751eba 100644 (file)
@@ -1816,8 +1816,8 @@ class BackendUserAuthentication extends \TYPO3\CMS\Core\Authentication\AbstractU
         * This is used for RTE and its magic images, as well as uploads
         * in the TCEforms fields, unless otherwise configured (will be added in the future)
         *
-        * the default upload folder for a user is the defaultFolder on the first
-        * filestorage/filemount that the user can access
+        * The default upload folder for a user is the defaultFolder on the first
+        * filestorage/filemount that the user can access and to which files are allowed to be added
         * however, you can set the users' upload folder like this:
         *
         * options.defaultUploadFolder = 3:myfolder/yourfolder/
@@ -1833,7 +1833,10 @@ class BackendUserAuthentication extends \TYPO3\CMS\Core\Authentication\AbstractU
                                if ($storage->isDefault()) {
                                        try {
                                                $uploadFolder = $storage->getDefaultFolder();
-                                               break;
+                                               if ($uploadFolder->checkActionPermission('add')) {
+                                                       break;
+                                               }
+                                               $uploadFolder = NULL;
                                        } catch (\TYPO3\CMS\Core\Resource\Exception $folderAccessException) {
                                                // If the folder is not accessible (no permissions / does not exist) we skip this one.
                                        }
@@ -1845,7 +1848,10 @@ class BackendUserAuthentication extends \TYPO3\CMS\Core\Authentication\AbstractU
                                foreach ($this->getFileStorages() as $storage) {
                                        try {
                                                $uploadFolder = $storage->getDefaultFolder();
-                                               break;
+                                               if ($uploadFolder->checkActionPermission('add')) {
+                                                       break;
+                                               }
+                                               $uploadFolder = NULL;
                                        } catch (\TYPO3\CMS\Core\Resource\Exception $folderAccessException) {
                                                // If the folder is not accessible (no permissions / does not exist) try the next one.
                                        }