Bug #18797
closed
"New page" wizard might disclose existence of pages outside DB mount
100%
Description
When creating a new page inside the top level of a DB mount which is only a sub tree, the pages up and down from the DB mount root will be displayed in the position selector if the logged in user has read permissions for these pages. This is unwanted information disclosure as the permissions should not matter for pages which are outside the DB mount.
Example:
Tree looks like
x -
- a
- b
- d
- e
- f
- c
User A has b as his DB mount but reading permissions on all pages in the tree. He now create a new page inside b. The position selector should only show him b and its subpages. Instead he will be shown a and c, too.
(issue imported from #M8428)
Files
Updated by
Updated by Alexander Opitz almost 11 years ago
- Status changed from New to Needs Feedback
- Target version deleted (
0)
The issue is very old, does this issue exists in newer versions of TYPO3 CMS (4.5 or 6.1)?
Updated by Riccardo De Contardi almost 11 years ago
- File Cattura.PNG Cattura.PNG added
- File Cattura2.PNG Cattura2.PNG added
- File Cattura3.PNG Cattura3.PNG added
See attached files to see what happens in TYPO3 6.1.0:
1. Cattura.PNG
is a branch of my pagetree; the editor's usergroup has B1 as DB mount.
2. Cattura2.PNG
if I click > page actions > new --> the wizard shown is what the user sees.
If I click on the arrow that allows me to add a page as sibling of B1 (see red circle on attached file) then there is an error:
3. Cattura3.PNG
The error reports the name of the parent of B1.
Updated by Alexander Opitz almost 11 years ago
- Status changed from Needs Feedback to New
Updated by Nicole Cordes almost 11 years ago
- Category set to Backend User Interface
- Status changed from New to Accepted
- Assignee set to Nicole Cordes
- Target version set to 6.2.0
- TYPO3 Version changed from 4.1 to 6.2
- PHP Version deleted (
5.2)
Updated by Gerrit Code Review over 10 years ago
- Status changed from Accepted to Under Review
Patch set 1 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/22632
Updated by Ernesto Baschny over 10 years ago
- Target version deleted (
6.2.0)
Good catch, but I would only backport until 6.0. Let's focus on more important tasks than backporting to 4.x from now on.
Updated by Gerrit Code Review over 10 years ago
Patch set 2 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/22632
Updated by Gerrit Code Review over 10 years ago
Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/22632
Updated by Gerrit Code Review over 10 years ago
Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/22632
Updated by Gerrit Code Review about 10 years ago
Patch set 1 for branch TYPO3_6-1 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27429
Updated by Gerrit Code Review about 10 years ago
Patch set 1 for branch TYPO3_6-0 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/27430
Updated by Nicole Cordes about 10 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset c59d89f809898784aaedd507db61a4d380bc27a8.
Updated by 
