Bug #100153
closed
ADMCMD_simUser vs. dumpFile-Link
0%
Description
When previewing an access protected page (with GET parameter ADMCMD_simUser on the URL) this parameter seems not to be attached to the "dumpFile" URL that is being created for non-public files via EXT:core/Classes/Resource/ResourceStorage.php#L1404-L1417
if ($publicUrl === null && $resourceObject instanceof FileInterface) {
$queryParameterArray = ['eID' => 'dumpFile', 't' => ''];
if ($resourceObject instanceof File) {
$queryParameterArray['f'] = $resourceObject->getUid();
$queryParameterArray['t'] = 'f';
} elseif ($resourceObject instanceof ProcessedFile) {
$queryParameterArray['p'] = $resourceObject->getUid();
$queryParameterArray['t'] = 'p';
}
$queryParameterArray['token'] = GeneralUtility::hmac(implode('|', $queryParameterArray), 'resourceStorageDumpFile');
$publicUrl = GeneralUtility::locationHeaderUrl(PathUtility::getAbsoluteWebPath(Environment::getPublicPath() . '/index.php'));
$publicUrl .= '?' . http_build_query($queryParameterArray, '', '&', PHP_QUERY_RFC3986);
}
Since we're using EXT:fal_securedownload this might not be a core issue but one of said extension. But I thought I start on force...
Setup:
- TYPO3 10.4.36
- EXT:fal_securedownload 3.0.2
Updated by Philipp Kitzberger over 1 year ago
- Related to Bug #94974: Pass on simUser parameter to other pages added
Updated by Georg Ringer 5 months ago
- Status changed from New to Needs Feedback
- Priority changed from Should have to Could have
I tried to reproduce that and the URL of the page is https://t3-master.ddev.site/issues/100153-secured-download-preview?ADMCMD_simUser=1 and for the file https://t3-master.ddev.site/index.php?eID=dumpFile&t=f&f=28&token=ce6452b96c488a4ec70e11c2cf5453eccadf302d and the file is reachable (being in a non-public storage)
would it ok to close it?
Updated by Philipp Kitzberger 4 months ago
Yup, go ahead. Cannot reproduce it with v11 anymore as well.
Updated by Garvin Hicking 4 months ago
- Status changed from Needs Feedback to Closed