Bug #17577
closedenableFields() not called in some cases
0%
Description
I discovered this bug using the "addEnableColumns" hook on "pages" table.
In some cases custom filters are not applied (ex: HMENU-special-directory rendering)...
In "tslib_cObj::getWhere()", we have :
// enablefields
if ($table=='pages') {
$query.=' '.$GLOBALS['TSFE']->sys_page->where_hid_del.
$GLOBALS['TSFE']->sys_page->where_groupAccess;
} else {
$query.=$this->enableFields($table);
}
that sould be :
$query.=$this->enableFields($table);
Note that tslib_cObj::enableFields() applies the "$GLOBALS['TSFE']->showHiddenRecords" setting automaticallly, so I'm nearly sure that it will work...
The question is "Why a special case for 'pages' in getWhere() ?".
I think the author thought about performances (sys_page->where_hid_del + sys_page->where_groupAccess looks like a "faster" enableFields() call)...
If we need performances, we can implement a lightweight cache in t3lib_pageSelect::enableFields() method, using a static hash var per example...
Anyway, I don't think it's a good idea to skip "enableFields" in any case.
It is a typo3 foundation, that cannot accept "holes"...
--- /usr/local/typo3/typo3_src-4.1.2/typo3/sysext/cms/tslib/class.tslib_content.php Mon Jul 16 01:31:30 2007
+++ /home/gco/fixes/typo3_src-4.1.2/typo3/sysext/cms/tslib/class.tslib_content.php Tue Sep 04 10:47:49 2007@ -6699,12 +6699,7
@
}
// enablefields
- if ($table=='pages') {
- $query.=' '.$GLOBALS['TSFE']->sys_page->where_hid_del.
- $GLOBALS['TSFE']->sys_page->where_groupAccess;
- } else {
- $query.=$this->enableFields($table);
- }
+ $query.=$this->enableFields($table);
// MAKE WHERE:
if ($query) {
(issue imported from #M6254)
Updated by Popy no-lastname-given about 17 years ago
By the way, why sometimes Core classes sometimes uses $GLOBALS['TSFE']->sys_page->where_hid_del and $GLOBALS['TSFE']->sys_page->where_groupAccess, and sometimes enableFields('pages') ?
I think that it should always call the same, to avoid this kind of problems.
Updated by Martin Kutschker about 17 years ago
@Guillaume:
I think you should modify the $GLOBALS['TSFE']->sys_page properties if you want to change the access control for page records. The properties take also
workspace related things (preview!) into account which the ordinary enableFields() doesn't.
Where did you find enableFields('pages')?
Updated by Popy no-lastname-given about 17 years ago
I don't know if i did found it... But it is the right way to bet enableFields for a table, isn't it ? Why a different way for the table "pages" ?
Updated by Ernesto Baschny over 16 years ago
I think it is a shame that the page isn't handled by enableFields, which should / could be "the" central place to check for access. It has all funcionality needed for this, it handles versioning preview, and the best thing is that is is hookable. We can even call it with an option to disable certain checks (e.g. fe_group checks turned off in case a HMENU that needs to display all pages, even those that are not currently accessible by the user).
We stumbled over a problem with extending the group checking on pages and tt_content (we needed a "negated" fe_group access, meaning "display content for all users that are not in certain fe_groups"). We started using the hook in enableFields until we discovered that this isn't being used consistently thoughout TYPO3, so we ended up XCLASSing. :)
Patching this part is probably possible, but probably some "workspaces" expert should make it "right". Currently no resources to do so, but maybe we could discuss if this is possible or even desired (for 4.3).
Updated by Ernesto Baschny over 16 years ago
Ok, just got some more information why enableFields isn't good for page record checking:
a) In some situations we don't have TCA available when selecting a page record
(e.g. fetch_the_id() is called before we load the compressed TCA). Reason would be that we need fast output in case the page is already in cache. So at least in this situation we cannot call enableFields().
b) in the situation mentioned in the bug report (HMENU rendering), the enableFields would always check for fe_groups. If in TypoScript we have the option "showAccessRestrictedPages=1", we need HMENU to render regardless of fe_group access. It does so by simply manipulating $this->sys_page->where_groupAccess = ''; at start and restoring it at the end of the menu rendering. So that every MENUITEM will disregard group-access, which is why it doesn't go through enableFields. The above patch would break that.
For a) there is no solution other than the "special case", for b) we could rewrite the menu rendering process to call enableFields() with fe_groups in the "$ignore_array" parameter...
Updated by Popy no-lastname-given over 16 years ago
Are you sure of your point a) ? Because, even if the page is cached, there's still the USER_INT process, and i'm sure they can access to TCA ...
Updated by Ernesto Baschny over 16 years ago
Yes, but the TCA will be loaded at a later point. When TYPO3 is still deciding if the requested page ID can be shown (acl), TCA is not available. If TYPO3 decides that:
a) page can be shown
b) page is in cache
c) no preview, no USER_INT, or other "uncacheable" stuff is required
then it will return page from cache ASAP, no further processing required, no expensive loading of TCA and stuff is needed. This is why a page without USER_INT is so much faster than a cached page with even one USER_INT.
Updated by Dmitry Dulepov almost 13 years ago
- Category deleted (
Communication) - Status changed from New to Closed
- Target version deleted (
0)