Bug #91918
closedAccess to a sub-branch of a workspace for a “limited user”
100%
Description
To reproduce:
- Create a workspace which can access all the page trees (db mount all tree)
- Creates a non-administrator user(for example an advanced editor) (with the respective backend group), who can access LIVE, and access all the page trees
- Create a non-administrator user (for example a limited editor) (with the respective backend group), who cannot access LIVE and access only a sub-branch page tree of the workspace (user db mount only a sub-branch).
- When the limited editor accesses his DRAFT workspace no page tree is displayed
- It appears the error “Page tree error Got unexpected response from the server. Please check logs for details."
- This problem has been reproduced on versions 10.4.6, 9.5.20, 8.7.32 (even earlier)
- The only way to solve the problem is to add on the workspace db mount also the page tree where the “limited editor” have accesses (same db mount of the user), but this is a wrong way of proceeding that generates collateral problems (for example [[https://forge.typo3.org/issues/91594]]) and performance problems.
Updated by Danilo Caccialanza almost 4 years ago
- Related to Bug #91594: Double page tree when be user editor access a single branch of the workspace added
Updated by Danilo Caccialanza almost 4 years ago
- Related to Bug #91594: Double page tree when be user editor access a single branch of the workspace added
Updated by Danilo Caccialanza almost 4 years ago
- Related to deleted (Bug #91594: Double page tree when be user editor access a single branch of the workspace)
Updated by Danilo Caccialanza almost 4 years ago
- if you configure "limited usere" whith "be_users -> workspace_perms is set to 1" in the live workspace works correctly but in draft workspace not. But I still wouldn't want to give the limited publisher access to the live worskpace. This confirms that this is a bug!
Updated by Danilo Caccialanza almost 4 years ago
I have identified a possible solution in the BackendUserAuthentication.php class, I am attaching the patch.
On a platform with a complex workspace configuration it works.
I need someone can help me in code rewiev to be able to integrate it into the core.
use TYPO3\CMS\Core\Utility\RootlineUtility;
protected function initializeDbMountpointsInWorkspace()
{
$dbMountpoints = trim($this->workspaceRec['db_mountpoints'] ?? '');
if ($this->workspace > 0 && $dbMountpoints != '') {
$filteredDbMountpoints = [];
// Notice: We cannot call $this->getPagePermsClause(1);
// as usual because the group-list is not available at this point.
// But bypassing is fine because all we want here is check if the
// workspace mounts are inside the current webmounts rootline.
// The actual permission checking on page level is done elsewhere
// as usual anyway before the page tree is rendered.
$readPerms = '1=1';
// Traverse mount points of the
//PATCH START ------------------------------------------------------------------
//Workspace DB mount
$wsWebmounts = implode(',', GeneralUtility::intExplode(',', $this->workspaceRec['db_mountpoints']));
//User DB mount
$userMounts = $this->dataLists['webmount_list'];
$wsArr = GeneralUtility::intExplode(',', $wsWebmounts);
$userArrTemp = GeneralUtility::intExplode(',', $userMounts);
foreach ($userArrTemp as $k => $v) {
$entryPointRootLine[$k] = GeneralUtility::makeInstance(RootlineUtility::class, $v)->get();
}
foreach ($entryPointRootLine as $k => $v) {
foreach ($v as $k => $v1) {
$newArr[] = $v1["uid"];
}
foreach ($wsArr as $v) {
if (!in_array($v, $newArr)) {
if (($key = array_search($newArr[0], $userArrTemp)) !== false) {
unset($userArrTemp[$key]);
}
}
}
unset($newArr);
}
$wsArr = array_merge($wsArr,$userArrTemp);
$dbMountpoints = implode(',', $wsArr);
//PATCH END ------------------------------------------------------------------
$dbMountpoints = GeneralUtility::intExplode(',', $dbMountpoints);
foreach ($dbMountpoints as $mpId) {
if ($this->isInWebMount($mpId, $readPerms)) {
$filteredDbMountpoints[] = $mpId;
}
}
// Re-insert webmounts:
$filteredDbMountpoints = array_unique($filteredDbMountpoints);
$this->groupData['webmounts'] = implode(',', $filteredDbMountpoints);
}
}
Can anyone help me? :)
Updated by Danilo Caccialanza almost 4 years ago
Additional info:
- I found that if you leave the db mount blank in the workspace it works.
- But this remains a problem if a limited editor accesses N workspaces because they would see all the trees even those of other workspaces.
- I think this is a problem that needs to be seriously addressed.
Updated by Gerrit Code Review over 3 years ago
- Status changed from New to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/65755
Updated by Gerrit Code Review over 3 years ago
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/65755
Updated by Gerrit Code Review over 3 years ago
Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/65755
Updated by Gerrit Code Review over 3 years ago
Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/65755
Updated by Gerrit Code Review over 3 years ago
Patch set 5 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/65755
Updated by Gerrit Code Review over 3 years ago
Patch set 6 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/65755
Updated by Gerrit Code Review over 3 years ago
Patch set 7 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/65755
Updated by Gerrit Code Review over 3 years ago
Patch set 1 for branch 10.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/66206
Updated by Danilo Caccialanza over 3 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 51c8f20b7ea17f25e6ca8dc4e914e44c64d391c5.