Commit a39765e0 authored by Oliver Bartsch's avatar Oliver Bartsch
Browse files

[BUGFIX] Prevent undefined array key access in modAccess()

This fixes a couple of undefined array key accesses
in BackendUserAuthentication->modAccess().

Besides, the code is a bit simplified and some
comments are added / fixed.

Resolves: #95560
Releases: master
Change-Id: I0fb20e1b9783fb770ff344bc0b4dc339f4a2ad50
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/71529


Tested-by: core-ci's avatarcore-ci <typo3@b13.com>
Tested-by: Jochen's avatarJochen <rothjochen@gmail.com>
Tested-by: Christian Kuhn's avatarChristian Kuhn <lolli@schwarzbu.ch>
Tested-by: Oliver Bartsch's avatarOliver Bartsch <bo@cedev.de>
Reviewed-by: Jochen's avatarJochen <rothjochen@gmail.com>
Reviewed-by: Christian Kuhn's avatarChristian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Nikita Hovratov's avatarNikita Hovratov <nikita.h@live.de>
Reviewed-by: Oliver Bartsch's avatarOliver Bartsch <bo@cedev.de>
parent eef89fac
......@@ -400,8 +400,9 @@ class BackendUserAuthentication extends AbstractUserAuthentication
*/
public function modAccess($conf)
{
if (!BackendUtility::isModuleSetInTBE_MODULES($conf['name'])) {
throw new \RuntimeException('Fatal Error: This module "' . $conf['name'] . '" is not enabled in TBE_MODULES', 1294586446);
$moduleName = $conf['name'] ?? '';
if (!BackendUtility::isModuleSetInTBE_MODULES($moduleName)) {
throw new \RuntimeException('Fatal Error: This module "' . $moduleName . '" is not enabled in TBE_MODULES', 1294586446);
}
// Workspaces check:
if (
......@@ -410,25 +411,26 @@ class BackendUserAuthentication extends AbstractUserAuthentication
&& ($this->workspace !== 0 || !GeneralUtility::inList($conf['workspaces'], 'online'))
&& ($this->workspace <= 0 || !GeneralUtility::inList($conf['workspaces'], 'custom'))
) {
throw new \RuntimeException('Workspace Error: This module "' . $conf['name'] . '" is not available under the current workspace', 1294586447);
throw new \RuntimeException('Workspace Error: This module "' . $moduleName . '" is not available under the current workspace', 1294586447);
}
// Returns false if conf[access] is set to system maintainers and the user is system maintainer
if (strpos($conf['access'], self::ROLE_SYSTEMMAINTAINER) !== false && !$this->isSystemMaintainer()) {
throw new \RuntimeException('This module "' . $conf['name'] . '" is only available as system maintainer', 1504804727);
// Throws exception if conf[access] is set to system maintainer and the user is no system maintainer
if (str_contains($conf['access'] ?? '', self::ROLE_SYSTEMMAINTAINER) && !$this->isSystemMaintainer()) {
throw new \RuntimeException('This module "' . $moduleName . '" is only available as system maintainer', 1504804727);
}
// Returns TRUE if conf[access] is not set at all or if the user is admin
if (!$conf['access'] || $this->isAdmin()) {
if (!($conf['access'] ?? false) || $this->isAdmin()) {
return true;
}
// If $conf['access'] is set but not with 'admin' then we return TRUE, if the module is found in the modList
$acs = false;
if (strpos($conf['access'], 'admin') === false && $conf['name']) {
$acs = $this->check('modules', $conf['name']);
if ($moduleName && !str_contains($conf['access'] ?? '', 'admin')) {
$acs = $this->check('modules', $moduleName);
}
if (!$acs) {
throw new \RuntimeException('Access Error: You don\'t have access to this module.', 1294586448);
}
return $acs;
// User has access (Otherwise an exception would haven been thrown)
return true;
}
/**
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment