Bug #42601

Content Security: QOM rewriting is omitted if used in certain cases in an Action Controller

Added by Robert Lemke over 9 years ago. Updated almost 9 years ago.

Status:
Under Review
Priority:
Must have
Assignee:
Robert Lemke
Category:
Security
Target version:
TYPO3 Flow Base Distribution - 2.0.1
Start date:
2012-11-01
Due date:
% Done:

100%

Estimated time:
PHP Version:
5.4
Has patch:
No
Complexity:
medium

Description

The QOM Query Rewriting Aspect checks if the security context is initialized. If it is not yet initialized, it will suspend query rewriting and just proceed to call the execute() or count() method.

This may be a problem because it is not defined when the security context is initialized. It can does happen that if no getRole() etc. methods have been called previously (no user is logged in), content is shown which must not be visible.

This issue is, however, quite predictable and becomes apparent during development already.

Related issues

Related to TYPO3.Flow - Bug #42758: Unit test for PersistenceQueryRewritingAspect brokenResolvedKarsten Dambekalns2012-11-07

Actions
Related to TYPO3.Flow - Bug #44765: Functional test brokenResolvedKarsten Dambekalns2013-01-23

Actions

Also available in: Atom PDF