Bug #42601

Content Security: QOM rewriting is omitted if used in certain cases in an Action Controller

Added by Robert Lemke over 9 years ago. Updated almost 9 years ago.

Status:
Under Review
Priority:
Must have
Assignee:
Category:
Security
Start date:
2012-11-01
Due date:
% Done:

100%

Estimated time:
PHP Version:
5.4
Has patch:
No
Complexity:
medium

Description

The QOM Query Rewriting Aspect checks if the security context is initialized. If it is not yet initialized, it will suspend query rewriting and just proceed to call the execute() or count() method.

This may be a problem because it is not defined when the security context is initialized. It can does happen that if no getRole() etc. methods have been called previously (no user is logged in), content is shown which must not be visible.

This issue is, however, quite predictable and becomes apparent during development already.


Related issues

Related to TYPO3.Flow - Bug #42758: Unit test for PersistenceQueryRewritingAspect brokenResolvedKarsten Dambekalns2012-11-07

Actions
Related to TYPO3.Flow - Bug #44765: Functional test brokenResolvedKarsten Dambekalns2013-01-23

Actions

Also available in: Atom PDF