[BUGFIX] BE checkFullLanguagesAccess check all translated records 59/58759/2
authorUrsula Klinger <klinger@punkt.de>
Sun, 28 Oct 2018 12:26:27 +0000 (13:26 +0100)
committerBenni Mack <benni@typo3.org>
Sun, 28 Oct 2018 14:06:27 +0000 (15:06 +0100)
All translated records are checked for language access in the method
checkFullLanguagesAccess of BackendUserAuthentication

Resolves: #86778
Releases: master, 8.7
Change-Id: I9c0101507c741471a8537a92329a9a66b78fa559
Reviewed-on: https://review.typo3.org/58759
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Susanne Moog <susanne.moog@typo3.org>
Tested-by: Susanne Moog <susanne.moog@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php

index 93f77ae..2aee84a 100644 (file)
@@ -755,8 +755,11 @@ class BackendUserAuthentication extends AbstractUserAuthentication
      */
     public function checkFullLanguagesAccess($table, $record)
     {
-        $recordLocalizationAccess = $this->checkLanguageAccess(0);
-        if ($recordLocalizationAccess && BackendUtility::isTableLocalizable($table)) {
+        if (!$this->checkLanguageAccess(0)) {
+            return false;
+        }
+
+        if (BackendUtility::isTableLocalizable($table)) {
             $pointerField = $GLOBALS['TCA'][$table]['ctrl']['transOrigPointerField'];
             $pointerValue = $record[$pointerField] > 0 ? $record[$pointerField] : $record['uid'];
             $queryBuilder = GeneralUtility::makeInstance(ConnectionPool::class)->getQueryBuilderForTable($table);
@@ -764,7 +767,7 @@ class BackendUserAuthentication extends AbstractUserAuthentication
                 ->removeAll()
                 ->add(GeneralUtility::makeInstance(DeletedRestriction::class))
                 ->add(GeneralUtility::makeInstance(BackendWorkspaceRestriction::class));
-            $recordLocalization = $queryBuilder->select('*')
+            $recordLocalizations = $queryBuilder->select('*')
                 ->from($table)
                 ->where(
                     $queryBuilder->expr()->eq(
@@ -772,18 +775,16 @@ class BackendUserAuthentication extends AbstractUserAuthentication
                         $queryBuilder->createNamedParameter($pointerValue, \PDO::PARAM_INT)
                     )
                 )
-                ->setMaxResults(1)
                 ->execute()
-                ->fetch();
+                ->fetchAll();
 
-            if (is_array($recordLocalization)) {
-                $languageAccess = $this->checkLanguageAccess(
-                    $recordLocalization[$GLOBALS['TCA'][$table]['ctrl']['languageField']]
-                );
-                $recordLocalizationAccess = $recordLocalizationAccess && $languageAccess;
+            foreach ($recordLocalizations as $recordLocalization) {
+                if (!$this->checkLanguageAccess($recordLocalization[$GLOBALS['TCA'][$table]['ctrl']['languageField']])) {
+                    return false;
+                }
             }
         }
-        return $recordLocalizationAccess;
+        return true;
     }
 
     /**