[BUGFIX] Prevent root folder listing for users 89/39089/4
authorNicole Cordes <typo3@cordes.co>
Thu, 30 Apr 2015 13:15:05 +0000 (15:15 +0200)
committerAndreas Fernandez <typo3@scripting-base.de>
Sat, 2 May 2015 19:44:53 +0000 (21:44 +0200)
If a user hasn't any file mount defined or the defined file mounts
don't exist the root folder of the storage is shown. To prevent
disallowed listing of folders only admin users are allowed see and
browse root folder and editors get an information that no file mounts
are configured.

Releases: master, 6.2
Resolves: #66687
Change-Id: I301d05773f10885351034dae2b0bbd16ac20ac55
Reviewed-on: http://review.typo3.org/39089
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Andreas Fernandez <typo3@scripting-base.de>
Tested-by: Andreas Fernandez <typo3@scripting-base.de>
typo3/sysext/backend/Classes/Tree/View/FolderTreeView.php
typo3/sysext/backend/Resources/Private/Language/locallang.xlf

index b4c8d77..34e7b4c 100644 (file)
@@ -15,8 +15,10 @@ namespace TYPO3\CMS\Backend\Tree\View;
  */
 
 use TYPO3\CMS\Backend\Utility\IconUtility;
+use TYPO3\CMS\Core\Messaging\FlashMessage;
 use TYPO3\CMS\Core\Resource\FolderInterface;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
+use TYPO3\CMS\Lang\LanguageService;
 
 /**
  * Generate a folder tree,
@@ -57,7 +59,7 @@ class FolderTreeView extends \TYPO3\CMS\Backend\Tree\View\AbstractTreeView {
         */
        public function __construct() {
                parent::init();
-               $this->storages = $GLOBALS['BE_USER']->getFileStorages();
+               $this->storages = $this->BE_USER->getFileStorages();
                $this->treeName = 'folder';
                // Don't apply any title
                $this->titleAttrib = '';
@@ -249,7 +251,7 @@ class FolderTreeView extends \TYPO3\CMS\Backend\Tree\View\AbstractTreeView {
                                        'name' => $fileMountInfo['title']
                                );
                        }
-               } else {
+               } elseif ($this->BE_USER->isAdmin()) {
                        $rootLevelFolders[] = array(
                                'folder' => $storageObject->getRootLevelFolder(),
                                'name' => $storageObject->getName()
@@ -288,7 +290,7 @@ class FolderTreeView extends \TYPO3\CMS\Backend\Tree\View\AbstractTreeView {
                        // Mark a storage which is not online, as offline
                        // maybe someday there will be a special icon for this
                        if ($storageObject->isOnline() === FALSE) {
-                               $rootLevelFolderName .= ' (' . $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_mod_file.xlf:sys_file_storage.isOffline') . ')';
+                               $rootLevelFolderName .= ' (' . $this->getLanguageService()->sL('LLL:EXT:lang/locallang_mod_file.xlf:sys_file_storage.isOffline') . ')';
                        }
                        // Preparing rootRec for the mount
                        $firstHtml .= $this->wrapIcon(IconUtility::getSpriteIconForResource($rootLevelFolder, array('mount-root' => TRUE)), $rootLevelFolder);
@@ -408,6 +410,17 @@ class FolderTreeView extends \TYPO3\CMS\Backend\Tree\View\AbstractTreeView {
                if (!is_array($treeItems)) {
                        $treeItems = $this->tree;
                }
+
+               if (empty($treeItems)) {
+                       $message = GeneralUtility::makeInstance(
+                               FlashMessage::class,
+                               $this->getLanguageService()->sL('LLL:EXT:backend/Resources/Private/Language/locallang.xlf:foldertreeview.noFolders.message'),
+                               $this->getLanguageService()->sL('LLL:EXT:backend/Resources/Private/Language/locallang.xlf:foldertreeview.noFolders.title'),
+                               FlashMessage::INFO
+                       );
+                       return $message->render();
+               }
+
                $out = '
                        <!-- TYPO3 folder tree structure. -->
                        <ul class="tree" id="treeRoot">
@@ -634,4 +647,11 @@ class FolderTreeView extends \TYPO3\CMS\Backend\Tree\View\AbstractTreeView {
                return $this->ajaxStatus;
        }
 
+       /**
+        * @return LanguageService
+        */
+       protected function getLanguageService() {
+               return $GLOBALS['LANG'];
+       }
+
 }
index 1f4a136..45fc7e3 100644 (file)
@@ -28,6 +28,12 @@ Have a nice day.</source>
                        <trans-unit id="config.loginBackgroundImage">
                                <source>Background Image: If set, this image will be used as background image for the login screen for screen sizes greater than 767 pixel (e.g. fileadmin/images/my-background.jpg or EXT:my_theme/Resources/Public/Images/my-background.jpg or //domain.tld/my-background.png)</source>
                        </trans-unit>
+                       <trans-unit id="foldertreeview.noFolders.title">
+                               <source>No folders available</source>
+                       </trans-unit>
+                       <trans-unit id="foldertreeview.noFolders.message">
+                               <source>You do not have access to any folder. Please ask your administrator to fix access permissions for your account.</source>
+                       </trans-unit>
                </body>
        </file>
 </xliff>