-
By forging edit URLs it was possible to edit meta data records of files which were not within a user mount. Implement several hooks to check access to the file and only grant access to a meta data record if the user has access to the file. Resolves: #56644 Releases: master, 6.2 Security-Bulletin: TYPO3-CORE-SA-2015-002 Change-Id: I0f0704af2e7f01d16b9420f9ba4ac1a7846b5270 Reviewed-on: http://review.typo3.org/40804 Reviewed-by: Benjamin Mack <benni@typo3.org> Tested-by: Benjamin Mack <benni@typo3.org> Reviewed-by: Helmut Hummel <helmut.hummel@typo3.org> Tested-by: Helmut Hummel <helmut.hummel@typo3.org>
d3c9706c