Bug #102622
closed
Backend module List throws exception when no languages are allowed for user
100%
Description
What is happening¶
- A language-restricted user clicks on the List module in the backend.
- In the page tree, the user selects a folder page that is not a child of a site root node.
- An exception occurs because the SQL query contains a WHERE clause
sys_language_uid IN ()
An exception occurred while executing 'SELECT COUNT(*) FROM `pages` WHERE (`sys_language_uid` IN ()) AND (`pages`.`pid` = ?) AND ( ((`pages`.`perms_everybody` & 1 = 1) OR ((`pages`.`perms_userid` = 3) AND (`pages`.`perms_user` & 1 = 1)) OR ((`pages`.`perms_groupid` IN (1)) AND (`pages`.`perms_group` & 1 = 1)))) AND (`l10n_parent` = ?) AND ((`pages`.`deleted` = 0) AND ((`pages`.`t3ver_wsid` = 0) AND ((`pages`.`t3ver_oid` = 0) OR (`pages`.`t3ver_state` = 4)))) LIMIT 1' with params [0, 2]: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ')) AND (`pages`.`pid` = ?) AND ( ((`pages`.`perms_everybody` & 1 = 1) OR ((`p...' at line 1
What is going wrong¶
- The RecordListController sets the allowed languages to the site languages.
- As there is no site for this folder, the dummy site only supplies the default language 0.
- If the user cannot see the default language, this results in an empty siteLanguages array.
- The module wants to show the page translations, so it initializes a DatabaseRecordList object with showOnlyTranslatedRecords set to true.
DatabaseRecordList::getQueryBuildersees this configuration and wants to filter by the languages allowed for the user.- Using an IN operator with an empty list is famously impossible in SQL.
What could fix this¶
- The simplest fix would be to not apply the query constraint if the languagesAllowedForUser are empty. But, this could allow users who are restricted to certain languages to see information about translated pages which are not in their allowed languages. This only happens for translated pages which were moved into an area of the page tree not covered by a site.
- DatabaseRecordList could add an impossible constraint like 1=2 to the query, ensuring 0 result rows. The user cannot see any page translations then, even if they are in a language they are allowed to see normally.
(Hah, just noticed this: admins can see all languages, which means they only see the default language (0) in the NullSite...)
A mostly-automatic reproduction can be found here: https://github.com/fwg/typo3-bugs/tree/forge/102622
Updated by Friedemann Altrock 5 months ago
I'm working on a semi-automated reproduction which can test this in multiple TYPO3 versions.
Updated by Gerrit Code Review 5 months ago
- Status changed from New to Under Review
Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/82142
Updated by Gerrit Code Review 5 months ago
Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/82142
Updated by Gerrit Code Review 3 months ago
Patch set 3 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/82142
Updated by Gerrit Code Review 2 months ago
Patch set 1 for branch 12.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/83235
Updated by Anonymous 2 months ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset ab73703802ad9ee786c7f0fcfb1f34a3d96d35d2.