Commit 722ed796 authored by Benni Mack's avatar Benni Mack Committed by Georg Ringer
Browse files

[BUGFIX] Do not use page Permission class on non-page permissions

The database fields "be_users.options" ("Mount from groups") and
"be_users.workspace_perms" (Allow editing on live workspace) use
the Page Permission class for checks, which is semantically incorrect.

The patch adapts the according changes in BackendUserAuthentication.

Resolves: #92208
Releases: master
Change-Id: Iec805fbc3ff3a72cfcdbdb67e6868c4389e8e688
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/65586


Tested-by: default avatarTYPO3com <noreply@typo3.com>
Tested-by: Anja Leichsenring's avatarAnja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Georg Ringer's avatarGeorg Ringer <georg.ringer@gmail.com>
Reviewed-by: Anja Leichsenring's avatarAnja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Georg Ringer's avatarGeorg Ringer <georg.ringer@gmail.com>
parent 43ca7030
......@@ -42,6 +42,7 @@ use TYPO3\CMS\Core\SysLog\Action as SystemLogGenericAction;
use TYPO3\CMS\Core\SysLog\Action\Login as SystemLogLoginAction;
use TYPO3\CMS\Core\SysLog\Error as SystemLogErrorClassification;
use TYPO3\CMS\Core\SysLog\Type as SystemLogType;
use TYPO3\CMS\Core\Type\Bitmask\BackendGroupMountOption;
use TYPO3\CMS\Core\Type\Bitmask\JsConfirmation;
use TYPO3\CMS\Core\Type\Bitmask\Permission;
use TYPO3\CMS\Core\Type\Exception\InvalidEnumerationValueException;
......@@ -1447,8 +1448,7 @@ TCAdefaults.sys_note.email = ' . $this->user['email'];
$this->userGroups[$row['uid']] = $row;
}
$permission = new Permission($this->user['options']);
$mountOptions = new BackendGroupMountOption((int)$this->user['options']);
// Traversing records in the correct order
foreach (explode(',', $grList) as $uid) {
// Get row:
......@@ -1465,11 +1465,11 @@ TCAdefaults.sys_note.email = ' . $this->user['email'];
// Add the group uid, current list to the internal arrays.
$this->includeGroupArray[] = $uid;
// Mount group database-mounts
if ($permission->showPagePermissionIsGranted()) {
if ($mountOptions->shouldUserIncludePageMountsFromAssociatedGroups()) {
$this->dataLists['webmount_list'] .= ',' . $row['db_mountpoints'];
}
// Mount group file-mounts
if ($permission->editPagePermissionIsGranted()) {
if ($mountOptions->shouldUserIncludeFileMountsFromAssociatedGroups()) {
$this->dataLists['filemount_list'] .= ',' . $row['file_mountpoints'];
}
// The lists are made: groupMods, tables_select, tables_modify, pagetypes_select, non_exclude_fields, explicit_allowdeny, allowed_languages, custom_options
......@@ -1708,7 +1708,8 @@ TCAdefaults.sys_note.email = ' . $this->user['email'];
}
// Mount group home-dirs
if ((new Permission($this->user['options'] ?? Permission::NOTHING))->editPagePermissionIsGranted() && $GLOBALS['TYPO3_CONF_VARS']['BE']['groupHomePath'] != '') {
$mountOptions = new BackendGroupMountOption((int)$this->user['options']);
if ($GLOBALS['TYPO3_CONF_VARS']['BE']['groupHomePath'] !== '' && $mountOptions->shouldUserIncludeFileMountsFromAssociatedGroups()) {
// If groupHomePath is set, we attempt to mount it
[$groupHomeStorageUid, $groupHomeFilter] = explode(':', $GLOBALS['TYPO3_CONF_VARS']['BE']['groupHomePath'], 2);
$groupHomeStorageUid = (int)$groupHomeStorageUid;
......@@ -2065,7 +2066,7 @@ TCAdefaults.sys_note.email = ' . $this->user['email'];
}
switch ((string)$wsRec['uid']) {
case '0':
$retVal = (new Permission($this->groupData['workspace_perms'] ?? Permission::NOTHING))->showPagePermissionIsGranted()
$retVal = (($this->groupData['workspace_perms'] ?? 0) & 1)
? array_merge($wsRec, ['_ACCESS' => 'online'])
: false;
break;
......
<?php
declare(strict_types=1);
/*
* This file is part of the TYPO3 CMS project.
*
* It is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License, either version 2
* of the License, or any later version.
*
* For the full copyright and license information, please read the
* LICENSE.txt file that was distributed with this source code.
*
* The TYPO3 project - inspiring people to share!
*/
namespace TYPO3\CMS\Core\Type\Bitmask;
use TYPO3\CMS\Core\Type\BitSet;
/**
* A class providing constants for bitwise operations on whether backend users
* should add / inherit the DB mounts / File Mounts from
*/
final class BackendGroupMountOption extends BitSet
{
private const INCLUDE_PAGE_MOUNTS = 1;
private const INCLUDE_FILE_MOUNTS = 2;
public function shouldUserIncludePageMountsFromAssociatedGroups(): bool
{
return $this->get(self::INCLUDE_PAGE_MOUNTS);
}
public function shouldUserIncludeFileMountsFromAssociatedGroups(): bool
{
return $this->get(self::INCLUDE_FILE_MOUNTS);
}
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment