Commit 5b4563b2 authored by Morton Jonuschat's avatar Morton Jonuschat
Browse files

[BUGFIX] Fix page permissions SQL clause in BackendConfigurationManager

Instead of passing the simple value "1" to QueryGenerator->getTreeList()
use a page permission clause created using $BE_USER->getPagePermsClause()
when determining the recursive storage pids. Passing the unprocessed value
"1" causes invalid SQL statements and does not perform any access checks.

Releases: master, 7.6
Resolves: #75912
Change-Id: I6edadd627c0a9c01a78c3cb55805455fed710d14
Reviewed-on: https://review.typo3.org/48220


Reviewed-by: Markus Klein's avatarMarkus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein's avatarMarkus Klein <markus.klein@typo3.org>
Reviewed-by: Wouter Wolters's avatarWouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters's avatarWouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: default avatarMorton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: default avatarMorton Jonuschat <m.jonuschat@mojocode.de>
parent 918ef519
......@@ -230,8 +230,9 @@ class BackendConfigurationManager extends \TYPO3\CMS\Extbase\Configuration\Abstr
$recursiveStoragePids = '';
$storagePids = \TYPO3\CMS\Core\Utility\GeneralUtility::intExplode(',', $storagePid);
$permsClause = $this->getBackendUser()->getPagePermsClause(1);
foreach ($storagePids as $startPid) {
$pids = $this->queryGenerator->getTreeList($startPid, $recursionDepth, 0, 1);
$pids = $this->queryGenerator->getTreeList($startPid, $recursionDepth, 0, $permsClause);
if ((string)$pids !== '') {
$recursiveStoragePids .= $pids . ',';
}
......@@ -239,4 +240,12 @@ class BackendConfigurationManager extends \TYPO3\CMS\Extbase\Configuration\Abstr
return rtrim($recursiveStoragePids, ',');
}
/**
* @return \TYPO3\CMS\Core\Authentication\BackendUserAuthentication
*/
protected function getBackendUser()
{
return $GLOBALS['BE_USER'];
}
}
......@@ -13,6 +13,7 @@ namespace TYPO3\CMS\Extbase\Tests\Unit\Configuration;
*
* The TYPO3 project - inspiring people to share!
*/
use Prophecy\Prophecy\ObjectProphecy;
/**
* Test case
......@@ -337,6 +338,12 @@ class BackendConfigurationManagerTest extends \TYPO3\CMS\Core\Tests\UnitTestCase
{
$storagePid = '1,2,3';
$recursive = 99;
/** @var \TYPO3\CMS\Core\Authentication\BackendUserAuthentication|ObjectProphecy $beUserAuthentication */
$beUserAuthentication = $this->prophesize(\TYPO3\CMS\Core\Authentication\BackendUserAuthentication::class);
$beUserAuthentication->getPagePermsClause(1)->willReturn('1=1');
$GLOBALS['BE_USER'] = $beUserAuthentication->reveal();
/** @var $abstractConfigurationManager \TYPO3\CMS\Extbase\Configuration\BackendConfigurationManager */
$abstractConfigurationManager = $this->getAccessibleMock(\TYPO3\CMS\Extbase\Configuration\BackendConfigurationManager::class, array('overrideSwitchableControllerActions', 'getContextSpecificFrameworkConfiguration', 'getTypoScriptSetup', 'getPluginConfiguration', 'getSwitchableControllerActions'));
$queryGenerator = $this->getMock(\TYPO3\CMS\Core\Database\QueryGenerator::class);
......@@ -357,6 +364,12 @@ class BackendConfigurationManagerTest extends \TYPO3\CMS\Core\Tests\UnitTestCase
{
$storagePid = '1,2,-3';
$recursive = 99;
/** @var \TYPO3\CMS\Core\Authentication\BackendUserAuthentication|ObjectProphecy $beUserAuthentication */
$beUserAuthentication = $this->prophesize(\TYPO3\CMS\Core\Authentication\BackendUserAuthentication::class);
$beUserAuthentication->getPagePermsClause(1)->willReturn('1=1');
$GLOBALS['BE_USER'] = $beUserAuthentication->reveal();
/** @var $abstractConfigurationManager \TYPO3\CMS\Extbase\Configuration\BackendConfigurationManager */
$abstractConfigurationManager = $this->getAccessibleMock(\TYPO3\CMS\Extbase\Configuration\BackendConfigurationManager::class, array('overrideSwitchableControllerActions', 'getContextSpecificFrameworkConfiguration', 'getTypoScriptSetup', 'getPluginConfiguration', 'getSwitchableControllerActions'));
$queryGenerator = $this->getMock(\TYPO3\CMS\Core\Database\QueryGenerator::class);
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment