[BUGFIX] Simulate user: Fix user selection 54/39754/3
authorMorton Jonuschat <m.jonuschat@mojocode.de>
Tue, 26 May 2015 18:01:25 +0000 (20:01 +0200)
committerNicole Cordes <typo3@cordes.co>
Wed, 27 May 2015 08:08:36 +0000 (10:08 +0200)
This is a follow up fix for #66801 which hides too many users as
an underscore (_) is a wildcard for a single char in SQL LIKE queries.
It also ensures proper quoting of the string value to be compatible with
databases that enforce proper query syntax.

Resolves: #67154
Resolves: #67093
Related: #66801
Releases: master
Change-Id: If0b78cd4e66c3420c832ad98aa5717034f619639
Reviewed-on: http://review.typo3.org/39754
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Stephan GroƟberndt <stephan@grossberndt.de>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Nicole Cordes <typo3@cordes.co>
Tested-by: Nicole Cordes <typo3@cordes.co>
typo3/sysext/setup/Classes/Controller/SetupModuleController.php

index 1048fa0..a01a0e7 100644 (file)
@@ -16,6 +16,7 @@ namespace TYPO3\CMS\Setup\Controller;
 
 use TYPO3\CMS\Backend\Utility\BackendUtility;
 use TYPO3\CMS\Core\Authentication\BackendUserAuthentication;
+use TYPO3\CMS\Core\Database\DatabaseConnection;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
 use TYPO3\CMS\Core\Messaging\FlashMessage;
 
@@ -699,7 +700,9 @@ class SetupModuleController {
                if ($this->getBackendUser()->isAdmin()) {
                        $this->simUser = (int)GeneralUtility::_GP('simUser');
                        // Make user-selector:
-                       $where = 'AND username NOT LIKE "_cli_%" AND uid <> ' . (int)$this->getBackendUser()->user['uid'] . BackendUtility::BEenableFields('be_users');
+                       $db = $this->getDatabaseConnection();
+                       $where = 'AND username NOT LIKE ' . $db->fullQuoteStr($db->escapeStrForLike('_cli_', 'be_users') . '%', 'be_users');
+                       $where .= ' AND uid <> ' . (int)$this->getBackendUser()->user['uid'] . BackendUtility::BEenableFields('be_users');
                        $users = BackendUtility::getUserNames('username,usergroup,usergroup_cached_list,uid,realName', $where);
                        $opt = array();
                        foreach ($users as $rr) {
@@ -836,4 +839,11 @@ class SetupModuleController {
                return $GLOBALS['LANG'];
        }
 
+       /**
+        * @return DatabaseConnection
+        */
+       protected function getDatabaseConnection() {
+               return $GLOBALS['TYPO3_DB'];
+       }
+
 }