Index: typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php	(date 1529703676000)
+++ typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php	(revision )
@@ -1307,6 +1307,22 @@
         $this->groupData['webmounts'] = implode(',', array_unique($mountPointUids));
     }
 
+
+    /**
+     * Checks that the user is not admin AND does not include ROOT mountpoint (0) if multiple mountpoint are set
+     */
+    public function cleanWebmounts() {
+        if (!$this->isAdmin()){
+            $currentWebMounts = array_unique(GeneralUtility::intExplode(',', $this->dataLists["webmount_list"]));
+            foreach ($currentWebMounts AS $key => $pid) {
+                if ($pid === 0) {
+                    unset($currentWebMounts[$key]);
+                }
+            }
+            $this->dataLists["webmount_list"] = implode(',', array_unique($currentWebMounts));
+        }
+    }
+
     /**
      * Returns TRUE or FALSE, depending if an alert popup (a javascript confirmation) should be shown
      * call like $GLOBALS['BE_USER']->jsConfirmation($BITMASK).
@@ -1563,6 +1579,9 @@
                 }
             }
         }
+
+        $this->cleanWebmounts();
+
         // HOOK: fetchGroups_postProcessing
         foreach ($GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_userauthgroup.php']['fetchGroups_postProcessing'] ?? [] as $_funcRef) {
             $_params = [];