[BUGFIX] Allow form definitions to be moved or put to recycle folder 88/57688/2
authorOliver Hader <oliver@typo3.org>
Mon, 23 Jul 2018 14:09:27 +0000 (16:09 +0200)
committerChristian Kuhn <lolli@schwarzbu.ch>
Thu, 26 Jul 2018 10:19:09 +0000 (12:19 +0200)
After fixing the issue of TYPO3-CORE-SA-2018-003 file commands for
form definitions (those ending with new ".form.yaml" extension) has
been limited. Since the "move" command theoretically would allow to
move and rename a file, it has been denied as well. However, it is
okay to move those files around in case the file extension has not
been changed or when being moved to a recycle folder.

Resolves: #85570
Releases: master, 8.7
Change-Id: Ic1f40d061b330d62138a42be9e868fca77b17187
Reviewed-on: https://review.typo3.org/57688
Reviewed-by: Ralf Zimmermann <ralf.zimmermann@tritum.de>
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
typo3/sysext/form/Classes/Slot/FilePersistenceSlot.php

index 02cb4ea..e7ac400 100644 (file)
@@ -185,6 +185,16 @@ class FilePersistenceSlot implements SingletonInterface
      */
     public function onPreFileMove(FileInterface $file, FolderInterface $targetFolder, string $targetFileName)
     {
+        // Skip check, in case file extension would not change during this
+        // command. In case e.g. "file.txt" shall be renamed to "file.form.yaml"
+        // the invocation still has to be granted.
+        // Any file moved to a recycle folder is accepted as well.
+        if ($this->isFormDefinition($file->getIdentifier())
+            && $this->isFormDefinition($targetFileName)
+            || $this->isRecycleFolder($targetFolder)) {
+            return;
+        }
+
         $combinedFileIdentifier = $this->buildCombinedIdentifier(
             $targetFolder,
             $targetFileName
@@ -225,7 +235,7 @@ class FilePersistenceSlot implements SingletonInterface
         string $combinedFileIdentifier,
         string $content = null
     ) {
-        if (!StringUtility::endsWith($combinedFileIdentifier, FormPersistenceManager::FORM_DEFINITION_FILE_EXTENSION)) {
+        if (!$this->isFormDefinition($combinedFileIdentifier)) {
             return;
         }
 
@@ -304,4 +314,26 @@ class FilePersistenceSlot implements SingletonInterface
             $fileName
         );
     }
+
+    /**
+     * @param string $identifier
+     * @return bool
+     */
+    protected function isFormDefinition(string $identifier): bool
+    {
+        return StringUtility::endsWith(
+            $identifier,
+            FormPersistenceManager::FORM_DEFINITION_FILE_EXTENSION
+        );
+    }
+
+    /**
+     * @param FolderInterface $folder
+     * @return bool
+     */
+    protected function isRecycleFolder(FolderInterface $folder): bool
+    {
+        $role = $folder->getStorage()->getRole($folder);
+        return $role === FolderInterface::ROLE_RECYCLER;
+    }
 }