[BUGFIX] Check webmounts for backend user in workspace preview 97/44897/2
authorNicole Cordes <typo3@cordes.co>
Sun, 22 Nov 2015 12:03:36 +0000 (13:03 +0100)
committerNicole Cordes <typo3@cordes.co>
Sun, 22 Nov 2015 17:56:16 +0000 (18:56 +0100)
This patch adds a check if the current backend user used for workspace
authentication has access to the current requested page. If the user
doesn't have access the workspace version of that page can't be displayed
and the live version is shown instead.

Resolves: #71734
Releases: master, 6.2
Change-Id: I66b79f9ee36ed3037729dceedd9410ccd85880f4
Reviewed-on: https://review.typo3.org/44897
Reviewed-by: Mathias Schreiber <mathias.schreiber@wmdb.de>
Reviewed-by: Nicole Cordes <typo3@cordes.co>
Tested-by: Nicole Cordes <typo3@cordes.co>
typo3/sysext/version/Classes/Hook/PreviewHook.php

index 232edc6..b5d550e 100644 (file)
@@ -112,7 +112,12 @@ class PreviewHook implements \TYPO3\CMS\Core\SingletonInterface {
                // if there is a valid BE user, and the full workspace should be
                // previewed, the workspacePreview option shouldbe set
                $workspaceUid = $this->previewConfiguration['fullWorkspace'];
-               if ($pObj->beUserLogin && is_object($params['BE_USER']) && \TYPO3\CMS\Core\Utility\MathUtility::canBeInterpretedAsInteger($workspaceUid)) {
+               if (
+                       $pObj->beUserLogin
+                       && is_object($params['BE_USER'])
+                       && \TYPO3\CMS\Core\Utility\MathUtility::canBeInterpretedAsInteger($workspaceUid)
+                       && $params['BE_USER']->isInWebMount($pObj->id)
+               ) {
                        if ($workspaceUid == 0 || $workspaceUid >= -1 && $params['BE_USER']->checkWorkspace($workspaceUid)) {
                                // Check Access to workspace. Live (0) is OK to preview for all.
                                $pObj->workspacePreview = (int)$workspaceUid;