[BUGFIX] Add module access check to module dispatcher 37/35137/3
authorHelmut Hummel <helmut.hummel@typo3.org>
Sun, 7 Dec 2014 20:38:22 +0000 (21:38 +0100)
committerFrank Nägler <typo3@naegler.net>
Sun, 7 Dec 2014 21:28:54 +0000 (22:28 +0100)
Recent merges removed the module access check in some
modules while removing the need to have a conf.php file.

This change now adds it to a central place in mod.php
with the benefit that access checks cannot be bypassed
any more not even in third party modules, when using mod.php

Resolves: #63648
Releases: master, 6.2
Change-Id: I5a876a7b46434f5d4c16ff895973826f4066ccab
Reviewed-on: http://review.typo3.org/35137
Reviewed-by: Stefan Neufeind <typo3.neufeind@speedpartner.de>
Tested-by: Stefan Neufeind <typo3.neufeind@speedpartner.de>
Reviewed-by: Frank Nägler <typo3@naegler.net>
Tested-by: Frank Nägler <typo3@naegler.net>
typo3/mod.php

index 182e6f7..cefad82 100644 (file)
@@ -21,22 +21,28 @@ require __DIR__ . '/init.php';
 // Find module path:
 $moduleName = (string)\TYPO3\CMS\Core\Utility\GeneralUtility::_GET('M');
 $isDispatched = FALSE;
-$formprotection = \TYPO3\CMS\Core\FormProtection\FormProtectionFactory::get();
-if (!$formprotection->validateToken(\TYPO3\CMS\Core\Utility\GeneralUtility::_GP('moduleToken'), 'moduleCall', $moduleName)) {
+$formProtection = \TYPO3\CMS\Core\FormProtection\FormProtectionFactory::get();
+if (!$formProtection->validateToken(\TYPO3\CMS\Core\Utility\GeneralUtility::_GP('moduleToken'), 'moduleCall', $moduleName)) {
        throw new UnexpectedValueException('Invalid form/module token detected. Access Denied!', 1392409507);
 }
-if ($temp_path = $TBE_MODULES['_PATHS'][$moduleName]) {
-       $MCONF['_'] = \TYPO3\CMS\Backend\Utility\BackendUtility::getModuleUrl($moduleName);
+if ($temp_path = $GLOBALS['TBE_MODULES']['_PATHS'][$moduleName]) {
+       $GLOBALS['MCONF']['_'] = \TYPO3\CMS\Backend\Utility\BackendUtility::getModuleUrl($moduleName);
        if (file_exists($temp_path . 'conf.php')) {
                require $temp_path . 'conf.php';
+               $moduleConfiguration = $GLOBALS['MCONF'];
+       } else {
+               $moduleConfiguration = $GLOBALS['TBE_MODULES']['_configuration'][$moduleName];
+       }
+       if (!empty($moduleConfiguration['access'])) {
+               $GLOBALS['BE_USER']->modAccess($moduleConfiguration, TRUE);
        }
 
        $BACK_PATH = '';
        require $temp_path . 'index.php';
        $isDispatched = TRUE;
 } else {
-       if (is_array($TBE_MODULES['_dispatcher'])) {
-               foreach ($TBE_MODULES['_dispatcher'] as $dispatcherClassName) {
+       if (is_array($GLOBALS['TBE_MODULES']['_dispatcher'])) {
+               foreach ($GLOBALS['TBE_MODULES']['_dispatcher'] as $dispatcherClassName) {
                        $dispatcher = \TYPO3\CMS\Core\Utility\GeneralUtility::makeInstance(\TYPO3\CMS\Extbase\Object\ObjectManager::class)->get($dispatcherClassName);
                        if ($dispatcher->callModule($moduleName) === TRUE) {
                                $isDispatched = TRUE;