Commit fb2740a2 authored by Tymoteusz Motylewski's avatar Tymoteusz Motylewski
Browse files

[TASK] Tune permission checks in TreeController

Do not calculate permissions for every page, as we're limiting the pages
through SQL query constraints.

Fetch sys_language_uid and l10n_parent from db as they are required for
isInWebMount to prevent it from fetching row from db again.

Pass full row to isInWebMount in calcPerms instead of just uid.
isInWebMount has logic to handle translated records.

Resolves: #91037
Related: #90105
Releases: 9.5, master
Change-Id: I56dbaf3daa15aa8b6f0fc5e09b212aa34203a0b5
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64175


Tested-by: default avatarTYPO3com <noreply@typo3.com>
Tested-by: Markus Klein's avatarMarkus Klein <markus.klein@typo3.org>
Tested-by: Benni Mack's avatarBenni Mack <benni@typo3.org>
Tested-by: Tymoteusz Motylewski's avatarTymoteusz Motylewski <t.motylewski@gmail.com>
Reviewed-by: Benni Mack's avatarBenni Mack <benni@typo3.org>
Reviewed-by: Markus Klein's avatarMarkus Klein <markus.klein@typo3.org>
Reviewed-by: Tymoteusz Motylewski's avatarTymoteusz Motylewski <t.motylewski@gmail.com>
parent d517e43f
......@@ -416,10 +416,7 @@ class TreeController
}
}
$entryPoint = $repository->getTree($entryPoint, function ($page) use ($backendUser) {
// Check each page if the user has permission to access it
return $backendUser->doesUserHaveAccess($page, Permission::PAGE_SHOW);
});
$entryPoint = $repository->getTree($entryPoint);
if (!is_array($entryPoint)) {
unset($entryPoints[$k]);
}
......
......@@ -72,6 +72,8 @@ class PageTreeRepository
'shortcut_mode',
'mount_pid_ol',
'url',
'sys_language_uid',
'l10n_parent',
];
/**
......
......@@ -598,8 +598,7 @@ class BackendUserAuthentication extends AbstractUserAuthentication
return Permission::ALL;
}
// Return 0 if page is not within the allowed web mount
// Always do this for the default language page record
if (!$this->isInWebMount($row[$GLOBALS['TCA']['pages']['ctrl']['transOrigPointerField']] ?: $row)) {
if (!$this->isInWebMount($row)) {
return Permission::NOTHING;
}
$out = Permission::NOTHING;
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment