TYPO3 Core

• if you configure "limited usere" whith "be_users -> workspace_perms is set to 1" in the live workspace works correctly but in draft workspace not. But I still wouldn't want to give the limited publisher access to the live worskpace. This confirms that this is a bug!

I have identified a possible solution in the BackendUserAuthentication.php class, I am attaching the patch.
On a platform with a complex workspace configuration it works.
I need someone can help me in code rewiev to be able to integrate it into the core.

use TYPO3\CMS\Core\Utility\RootlineUtility;

    protected function initializeDbMountpointsInWorkspace()
    {
        $dbMountpoints = trim($this->workspaceRec['db_mountpoints'] ?? '');
        if ($this->workspace > 0 && $dbMountpoints != '') {
            $filteredDbMountpoints = [];
            // Notice: We cannot call $this->getPagePermsClause(1);
            // as usual because the group-list is not available at this point.
            // But bypassing is fine because all we want here is check if the
            // workspace mounts are inside the current webmounts rootline.
            // The actual permission checking on page level is done elsewhere
            // as usual anyway before the page tree is rendered.
            $readPerms = '1=1';
            // Traverse mount points of the

            //PATCH START ------------------------------------------------------------------

            //Workspace DB mount
            $wsWebmounts = implode(',', GeneralUtility::intExplode(',', $this->workspaceRec['db_mountpoints']));

            //User DB mount
            $userMounts = $this->dataLists['webmount_list'];

            $wsArr = GeneralUtility::intExplode(',', $wsWebmounts);

            $userArrTemp = GeneralUtility::intExplode(',', $userMounts);

            foreach ($userArrTemp as $k => $v) {
                $entryPointRootLine[$k] = GeneralUtility::makeInstance(RootlineUtility::class, $v)->get();
            }

            foreach ($entryPointRootLine as $k => $v) {
                foreach ($v as $k => $v1) {
                    $newArr[] = $v1["uid"];
                }

                foreach ($wsArr as $v) {
                    if (!in_array($v, $newArr)) {
                        if (($key = array_search($newArr[0], $userArrTemp)) !== false) {
                            unset($userArrTemp[$key]);
                        }
                    }
                }

                unset($newArr);
            }

            $wsArr = array_merge($wsArr,$userArrTemp);

            $dbMountpoints = implode(',', $wsArr);

            //PATCH END ------------------------------------------------------------------
            $dbMountpoints = GeneralUtility::intExplode(',', $dbMountpoints);
            foreach ($dbMountpoints as $mpId) {
                if ($this->isInWebMount($mpId, $readPerms)) {
                    $filteredDbMountpoints[] = $mpId;
                }
            }
            // Re-insert webmounts:
            $filteredDbMountpoints = array_unique($filteredDbMountpoints);
            $this->groupData['webmounts'] = implode(',', $filteredDbMountpoints);
        }
    }

Can anyone help me? :)

Additional info:

• I found that if you leave the db mount blank in the workspace it works.
• But this remains a problem if a limited editor accesses N workspaces because they would see all the trees even those of other workspaces.
• I think this is a problem that needs to be seriously addressed.

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/65755

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/65755

Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/65755

Patch set 5 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/65755

Patch set 6 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/65755

Patch set 7 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/65755

Patch set 1 for branch 10.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/66206