Feature #22318
closedDefine a central whitelist for allowed tables for cObjects CONTENT and RECORDS
0%
Description
With the cObjects CONTENT and RECORDS you can get records out of database tables and render them.
However CONTENT is restricted to work only with the tables pages, fe_*, static_*, fe_*, tt_*, ttx_', tx_* and user_* (that means, not allowed are be_*, cache_*, index_*, sys_* and a few others). RECORDS has no restritctions regarding tables.
The reason for the restriction seems to be security as Dmitry pointed out: http://lists.typo3.org/pipermail/typo3-dev/2007-May/023736.html
To have a consistent behaviour among CONTENT and RECORDS and for configurability of allowed tables I suggest to have a whitelist of allowed tables in the install tool (to be honest, Benjamin suggested this: http://lists.typo3.org/pipermail/typo3-dev/2010-February/039116.html)
I think, when a TYPO3 Admin knows what he does he should be allowed to access all tables (even be_users). Because as Georg pointed out when TS does not allow him the functionality he wants, he'll write an Extension or UserScript to achieve it, which can again introduce security holes.
This would break compatiblity when someone used a table with RECORDS, which is not allowed for CONTENT. The admin would need to add the tables he needs to the whitelist in the install tool.
(issue imported from #M13898)