-
Morton Jonuschat authored
Instead of passing the simple value "1" to QueryGenerator->getTreeList() use a page permission clause created using $BE_USER->getPagePermsClause() when determining the recursive storage pids. Passing the unprocessed value "1" causes invalid SQL statements and does not perform any access checks. Releases: master, 7.6 Resolves: #75912 Change-Id: I6edadd627c0a9c01a78c3cb55805455fed710d14 Reviewed-on: https://review.typo3.org/48220 Reviewed-by: Markus Klein <markus.klein@typo3.org> Tested-by: Markus Klein <markus.klein@typo3.org> Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl> Tested-by: Wouter Wolters <typo3@wouterwolters.nl> Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de> Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>
5b4563b2