Project

General

Profile

Actions
Copy link

Bug #18797

closed

"New page" wizard might disclose existence of pages outside DB mount

Added by Christian Lerrahn almost 16 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Should have
Assignee:
Nicole Cordes
Category:
Backend User Interface
Target version:
-
Start date:
2008-05-15
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
6.2
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

When creating a new page inside the top level of a DB mount which is only a sub tree, the pages up and down from the DB mount root will be displayed in the position selector if the logged in user has read permissions for these pages. This is unwanted information disclosure as the permissions should not matter for pages which are outside the DB mount.

Example:
Tree looks like
x -
- a
- b
- d
- e
- f
- c

User A has b as his DB mount but reading permissions on all pages in the tree. He now create a new page inside b. The position selector should only show him b and its subpages. Instead he will be shown a and c, too.
(issue imported from #M8428)

Files

Download all files
Cattura.PNG (5.15 KB) Cattura.PNG Riccardo De Contardi, 2013-05-15 17:10
Cattura2.PNG (11.8 KB) Cattura2.PNG Riccardo De Contardi, 2013-05-15 17:10
Cattura3.PNG (9.87 KB) Cattura3.PNG Riccardo De Contardi, 2013-05-15 17:10

Related issues 2 (0 open2 closed)

Related to TYPO3 Core - Bug #59427: Hook in calcPerms was not called anymoreRejectedStefan Froemken2014-06-10

Actions
Blocks TYPO3 Core - Bug #63047: TreeView with non pages isInWebMount wrong parameter because of Bugfix #18797Closed2014-11-18

Actions
Actions
Copy link

Also available in: Atom PDF