Project

General

Profile

Actions

Bug #31684

closed

db_new.php: positionTree() does not respect db mount of backend user

Added by Jochen Rieger about 13 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Backend User Interface
Start date:
2011-11-08
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
4.5
PHP Version:
Tags:
Complexity:
Is Regression:
No
Sprint Focus:

Description

See screenshots attached.

If a user has a db mount on one sysfolder and the sysfolder got other pages / folders on the same treelevel around it, then these will be shown although they are not within the user's db mount.

I have to add: If the folders have different owner groups or no owner group at all they won't be shown. But often you have a setup where there is same base backend group for page rights and the specific pages for users will be added via db mount(s).

So, I think the method t3lib_positionMap->positionTree() should also respect the db mount properly when displaying the list of possible pages to create a new one after / in / before.

In some cases, this can be a real security issue if users are not supposed to see certain folders.


Files

Actions #1

Updated by Benni Mack about 13 years ago

  • Category set to Backend User Interface
  • Status changed from New to Accepted

Hey Jochen,

wow. that seems reasonable and clearly and issue to be fixed. Interested in creating a patch for Gerrit for it?

http://wiki.typo3.org/Contribution_Walkthrough_Tutorials

All the best,
Benni.

Actions #2

Updated by Helmut Hummel about 13 years ago

Just to be clear: Mountpoints are not a security feature! I'm not sureIf you want to disallow access to certain pages, you have to set up proper permissions to these pages.

Nevertheless, the issue mentioned here should be fixed.

Actions #3

Updated by Helmut Hummel about 13 years ago

Just checked, to be sure: Page permissions are checked correctly in the wizard. So if you don't want your users to see the pages, deny access to them.

Rethinking about it: If we change the wizard here, we should implement mountpoints to be a security feature in all places.
But maybe it is better to leave it as is and communicate better what mountpoints are and what they are not.

Actions #4

Updated by Jochen Rieger about 13 years ago

Helmut, thanks for you check.

I, personally, would expect that mount points would be respected all over the system. And yet they are, for example in the link popup when chosing a page to link to.

AFAIK only in this wizard view appear pages that are outside the mount of an editor. If I mount an editor to a page node I want him to see only the selected node. Of cause, if there are restricted pages inside the mount I'd change the group access settings etc.

@ Benny: I'm somehow familiar with Gerrit but not with the rights / mount point thingy in backend code. If someone could provide another place where the mount point is respected I could manage it, I guess.

Actions #5

Updated by Mathias Schreiber almost 10 years ago

  • Target version set to 7.4 (Backend)
  • Is Regression set to No
Actions #6

Updated by Susanne Moog over 9 years ago

  • Target version changed from 7.4 (Backend) to 7.5
Actions #7

Updated by Benni Mack about 9 years ago

  • Target version changed from 7.5 to 8 LTS

hmm, don't know where mount points are implemented in the backend.

Actions #8

Updated by Benni Mack over 7 years ago

  • Target version changed from 8 LTS to Candidate for patchlevel
Actions #9

Updated by Benni Mack over 4 years ago

  • Status changed from Accepted to Closed

Cannot reproduce this issue anymore. Can you clarify or check this again? I will close this issue for the time being, if you still feel this should be handled, let me know so I will re-open this issue again.

Actions

Also available in: Atom PDF