Project

General

Profile

Actions
Copy link

Bug #17327

closed

secure filelinks width jumpurl.secure don't check permission recursive

Added by Anliker Hubert over 17 years ago. Updated about 7 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2007-05-24
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
4.1
PHP Version:
5.1
Tags:
Complexity:
Is Regression:
No
Sprint Focus:

Description

Secure filelinks with jumpurl.secure = 1 on access restricted pages ignore the group restriction, if the group-restriction is not applied on the same page where the filelink is placed. So when a branch is access-restricted the secure filelinks will only function if every page is access-restricted. Otherwise if the link from the secure filelink is opened directly then you can download the file!

The Problem seems to be the function checkRecord in the class.t3lib_page.php.

The Access-Vaidation must include the rootline.
Compare the Attachement. I added the Access-Validation in the function and made a redirect if the Access is not granted. - It's a rough workaround. It would be great to have a fine solution!

(issue imported from #M5674)

Files

class.t3lib_page.php (51.9 KB) class.t3lib_page.php Administrator Admin, 2007-05-24 14:36
Actions
Copy link
 #1

Updated by Oliver Hader over 17 years ago

Please provide a unified diff as patch file. It is easier to see the changes there. Thanks!

Actions
Copy link
 #2

Updated by Alexander Opitz over 11 years ago

  • Category deleted (Communication)
  • Status changed from New to Needs Feedback
  • Target version deleted (0)

The issue is very old, does this issue exists in newer versions of TYPO3 CMS (4.5 or 6.1)?

Actions
Copy link
 #3

Updated by Alexander Opitz about 11 years ago

  • Status changed from Needs Feedback to Closed

No feedback for over 90 days.

Actions
Copy link
 #4

Updated by Alexander Stehlik about 9 years ago

checkRecord() still seems to ignore any rootline permissions. It will only check if the provided record is accessible and the page it resides in.

Permissions set in parent pages will be ignored.

Actions
Copy link
 #5

Updated by Andreas Kienast about 9 years ago

  • Status changed from Closed to New
  • Is Regression set to No

Reopened as requested by Alex Stehlik.

Actions
Copy link
 #6

Updated by Riccardo De Contardi about 7 years ago

  • Status changed from New to Closed

I close this one as the "jumpurl" feature has been removed from TYPO3 Core since version 7.6 (https://wiki.typo3.org/TYPO3.CMS/Releases/7.6/Breaking#Breaking:_.2370578_-_JumpURL_functionality_removed_from_the_TYPO3_Core) and 6.2 is not maintained anymore.

The feature has become an extension https://github.com/FriendsOfTYPO3/jumpurl - you could open an issue here if you still need it. Thank you.

Actions
Copy link

Also available in: Atom PDF