Commit 88dbb594 authored by Tymoteusz Motylewski's avatar Tymoteusz Motylewski Committed by Richard Haeser
Browse files

[BUGFIX] Reintroduce filtering out non accessible pages on query time

Filter out pages user has no access to on query time in page tree.
This patch reintroduce a change which was reverted with
https://review.typo3.org/c/Packages/TYPO3.CMS/+/64369

Resolves: #91221
Related: #90880
Related: #91348
Releases: master, 10.4, 9.5
Change-Id: Id90752c331bc6fc12b0d3a7d047adacf08cb7804
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64639


Tested-by: default avatarTYPO3com <noreply@typo3.com>
Tested-by: Richard Haeser's avatarRichard Haeser <richard@maxserv.com>
Reviewed-by: Richard Haeser's avatarRichard Haeser <richard@maxserv.com>
parent 36a0dc60
......@@ -23,7 +23,9 @@ use TYPO3\CMS\Backend\Configuration\BackendUserConfiguration;
use TYPO3\CMS\Backend\Tree\Repository\PageTreeRepository;
use TYPO3\CMS\Backend\Utility\BackendUtility;
use TYPO3\CMS\Core\Authentication\BackendUserAuthentication;
use TYPO3\CMS\Core\Context\Context;
use TYPO3\CMS\Core\Database\Query\Restriction\DocumentTypeExclusionRestriction;
use TYPO3\CMS\Core\Database\Query\Restriction\PagePermissionRestriction;
use TYPO3\CMS\Core\Exception\Page\RootLineException;
use TYPO3\CMS\Core\Exception\SiteNotFoundException;
use TYPO3\CMS\Core\Http\JsonResponse;
......@@ -371,6 +373,7 @@ class TreeController
if (!empty($excludedDocumentTypes)) {
$additionalQueryRestrictions[] = GeneralUtility::makeInstance(DocumentTypeExclusionRestriction::class, $excludedDocumentTypes);
}
$additionalQueryRestrictions[] = GeneralUtility::makeInstance(PagePermissionRestriction::class, GeneralUtility::makeInstance(Context::class)->getAspect('backend.user'), Permission::PAGE_SHOW);
$repository = GeneralUtility::makeInstance(
PageTreeRepository::class,
......@@ -416,10 +419,7 @@ class TreeController
}
}
$entryPoint = $repository->getTree($entryPoint, function ($page) use ($backendUser) {
// Check each page if the user has permission to access it
return $backendUser->doesUserHaveAccess($page, Permission::PAGE_SHOW);
});
$entryPoint = $repository->getTree($entryPoint, null, $entryPoints);
if (!is_array($entryPoint)) {
unset($entryPoints[$k]);
}
......
......@@ -17,6 +17,7 @@ declare(strict_types=1);
namespace TYPO3\CMS\Backend\Tree\Repository;
use TYPO3\CMS\Backend\Utility\BackendUtility;
use TYPO3\CMS\Core\Database\ConnectionPool;
use TYPO3\CMS\Core\Database\Query\Restriction\DeletedRestriction;
use TYPO3\CMS\Core\Database\Query\Restriction\WorkspaceRestriction;
......@@ -120,9 +121,9 @@ class PageTreeRepository
* @param callable $callback a callback to be used to check for permissions and filter out pages not to be included.
* @return array
*/
public function getTree(int $entryPoint, callable $callback = null): array
public function getTree(int $entryPoint, callable $callback = null, array $dbMounts = []): array
{
$this->fetchAllPages();
$this->fetchAllPages($dbMounts);
if ($entryPoint === 0) {
$tree = $this->fullPageTree;
} else {
......@@ -159,7 +160,7 @@ class PageTreeRepository
*
* @return array the full page tree of the whole installation
*/
protected function fetchAllPages(): array
protected function fetchAllPages($dbMounts): array
{
if (!empty($this->fullPageTree)) {
return $this->fullPageTree;
......@@ -187,6 +188,19 @@ class PageTreeRepository
->execute()
->fetchAll();
$ids = array_column($pageRecords, 'uid');
foreach ($dbMounts as $mount) {
$entryPointRootLine = BackendUtility::BEgetRootLine($mount, '', false, $this->fields);
foreach ($entryPointRootLine as $page) {
$pageId = (int)$page['uid'];
if (in_array($pageId, $ids) || $pageId === 0) {
continue;
}
$pageRecords[] = $page;
$ids[] = $pageId;
}
}
$livePagePids = [];
$movePlaceholderData = [];
// This is necessary to resolve all IDs in a workspace
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment