Commit 7879a3de authored by Oliver Bartsch's avatar Oliver Bartsch
Browse files

[BUGFIX] Avoid parameter collision in IndexedSearch

The action to delete an indexed item in the IndexedSearch
backend module used the "id" parameter to pass the indexed
item id to the method. The controller is based on extbase and
previously, those parameters were prefixed with the plugin
namespace. However, with #97096 the parameters in extbase
backend modules are no longer prefix by default, which therefore
lead to a collision. The "id" parameter should always represent
the currently selected page, underlying code performs access
checks on this value.

This is now resolved by using a dedicated parameter, which
is not already "reserved" by underlying functionality.

Resolves: #97766
Related: #97096
Releases: main
Change-Id: If7ccb1dfbdad6f907eb4f27187eb7eb9b753e9dc
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74885

Tested-by: Stefan Bürk's avatarStefan Bürk <stefan@buerk.tech>
Tested-by: core-ci's avatarcore-ci <typo3@b13.com>
Tested-by: Benni Mack's avatarBenni Mack <benni@typo3.org>
Tested-by: Oliver Bartsch's avatarOliver Bartsch <bo@cedev.de>
Reviewed-by: Stefan Bürk's avatarStefan Bürk <stefan@buerk.tech>
Reviewed-by: Benni Mack's avatarBenni Mack <benni@typo3.org>
Reviewed-by: Oliver Bartsch's avatarOliver Bartsch <bo@cedev.de>
parent 68c6dd05
......@@ -488,13 +488,13 @@ class AdministrationController extends ActionController
/**
* Remove item from index
*
* @param string $id
* @param string $itemId
* @param int $depth
* @param string $mode
*/
protected function deleteIndexedItemAction($id, $depth = 1, $mode = 'overview'): ResponseInterface
protected function deleteIndexedItemAction($itemId, $depth = 1, $mode = 'overview'): ResponseInterface
{
$this->administrationRepository->removeIndexedPhashRow($id, $this->pageUid, $depth);
$this->administrationRepository->removeIndexedPhashRow($itemId, $this->pageUid, $depth);
return $this->redirect('statistic', null, null, ['depth' => $depth, 'mode' => $mode]);
}
......
......@@ -35,7 +35,7 @@
<tr>
<th></th>
<th>
<a href="{f:uri.action(action:'deleteIndexedItem', arguments:'{id:\'ALL\', depth:depth, mode:mode}')}" title="{f:translate(key:'administration.removeAllEntries')}">
<a href="{f:uri.action(action:'deleteIndexedItem', arguments:'{itemId:\'ALL\', depth:depth, mode:mode}')}" title="{f:translate(key:'administration.removeAllEntries')}">
<core:icon identifier="actions-edit-delete" />
</a>
</th>
......@@ -80,7 +80,7 @@
<f:if condition="{i.index} == 0"> {line.row.title}</f:if>
</td>
<td>
<a href="{f:uri.action(action:'deleteIndexedItem',arguments:'{id:l.phash,depth:depth,mode:mode}')}" title="{f:translate(key:'administration.removeEntry')}">
<a href="{f:uri.action(action:'deleteIndexedItem',arguments:'{itemId:l.phash,depth:depth,mode:mode}')}" title="{f:translate(key:'administration.removeEntry')}">
<core:icon identifier="actions-edit-delete" />
</a>
</td>
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment