TYPO3 Core

What is happening¶

• A language-restricted user clicks on the List module in the backend.
• In the page tree, the user selects a folder page that is not a child of a site root node.
• An exception occurs because the SQL query contains a WHERE clause sys_language_uid IN ()

An exception occurred while executing 'SELECT COUNT(*) FROM `pages` WHERE (`sys_language_uid` IN ()) AND (`pages`.`pid` = ?) AND 
( ((`pages`.`perms_everybody` & 1 = 1) OR ((`pages`.`perms_userid` = 3) AND (`pages`.`perms_user` & 1 = 1)) OR 
((`pages`.`perms_groupid` IN (1)) AND (`pages`.`perms_group` & 1 = 1)))) AND (`l10n_parent` = ?) AND ((`pages`.`deleted` = 0) AND
 ((`pages`.`t3ver_wsid` = 0) AND ((`pages`.`t3ver_oid` = 0) OR (`pages`.`t3ver_state` = 4)))) LIMIT 1' 
with params [0, 2]: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for 
the right syntax to use near ')) AND (`pages`.`pid` = ?) AND ( ((`pages`.`perms_everybody` & 1 = 1) OR ((`p...' at line 1

What is going wrong¶

• The RecordListController sets the allowed languages to the site languages.
• As there is no site for this folder, the dummy site only supplies the default language 0.
• If the user cannot see the default language, this results in an empty siteLanguages array.
• The module wants to show the page translations, so it initializes a DatabaseRecordList object with showOnlyTranslatedRecords set to true.
• DatabaseRecordList::getQueryBuilder sees this configuration and wants to filter by the languages allowed for the user.
• Using an IN operator with an empty list is famously impossible in SQL.

What could fix this¶

1. The simplest fix would be to not apply the query constraint if the languagesAllowedForUser are empty. But, this could allow users who are restricted to certain languages to see information about translated pages which are not in their allowed languages. This only happens for translated pages which were moved into an area of the page tree not covered by a site.
2. DatabaseRecordList could add an impossible constraint like 1=2 to the query, ensuring 0 result rows. The user cannot see any page translations then, even if they are in a language they are allowed to see normally.

(Hah, just noticed this: admins can see all languages, which means they only see the default language (0) in the NullSite...)

A mostly-automatic reproduction can be found here: https://github.com/fwg/typo3-bugs/tree/forge/102622