TYPO3 Core

Hi,

I found out that a regular BE user which has no access to the module recycler can have access to URL like this

http://mywebsite/typo3/ajax.php?ajaxID=tx_recycler::controller&startUid=7&cmd=getTables&depth=1&_dc=1243542264808

This is a potential security hole since a BE user could play with the URL and get not allowed information. I suggest to add at the top of file class/controller/class.tx_recycler_controller_ajax.php a simple check:

// Check whether the user has access to the module
global $BE_USER;
$MCONF['name'] = 'web_txrecyclerM1';
$MCONF['access'] = 'user,group';
$BE_USER->modAccess($MCONF, 1);    // This checks makes sure the user has the permissions to access this class. Exits if that's not the case.