Actions
Story #34664
closedjumpurl.secure misses a test for backend user sections
Start date:
2012-03-08
Due date:
% Done:
0%
Estimated time:
TYPO3 Version:
4.5
PHP Version:
Tags:
Sprint Focus:
Description
I use links with jumpurl.secure on backend user sections. It turns out that the generated links can be used by everyone because Typo3 does not check whether a BE user is logged in.
Usually when receiving a jumpurl link, Typo3 uses the location data inside (record id and page id) to ensure that the current user can access that record and page and denies access to the file otherwise (class.tslib_fe::locDataCheck). It seems that here a test for backend user sections is missing.
This patch seems to fix the issue, but as I change an important variable this might have consequences I'm not aware of.
--- class.tslib_fe.php_orig 2012-03-07 12:00:23.996434949 +0100 +++ class.tslib_fe.php 2012-03-07 12:00:29.731736265 +0100 @@ -1382,6 +1382,9 @@ function setSysPageWhereClause() { $this->sys_page->where_hid_del.=' AND pages.doktype<200'; $this->sys_page->where_groupAccess = $this->sys_page->getMultipleGroupsWhereClause('pages.fe_group', 'pages'); + if (!$GLOBALS['BE_USER']) { + $this->sys_page->where_groupAccess .=' AND doktype != 6'; + } } /**
Actions