Bug #64536
closed
Backend Search Box
100%
Description
A backend user (not admin) can see in the results, the data which it has no access (eg "templates Main TS" on the image)
More information in french : http://forum.typo3-fr.org/topic/22756-moteur-de-recherche-backend/page__pid__86580
Files
Updated by Olivier SC about 9 years ago
File : /typo3/sysext/backend/Classes/Search/LiveSearch/LiveSearch.php (v6.2.3)
File : /t3lib/search/class.t3lib_search_livesearch.php (v4.5.39)
function : findByGlobalTableList
it search in all available fields in all tables from TCA.
In deeper function, there is a filter on page ID, but nothing on "access right" for specific table (like exclude "sys_template" for non admin).
the loop in "findByGlobalTableList" may verify access right for table before trying to make query for this table.
I'm not sure but we can use something like :
$GLOBALS['BE_USER']->check('tables_select', $tableName)
protected function findByGlobalTableList($pageIdList) {
$limit = $this->limitCount;
$getRecordArray = array();
foreach ($GLOBALS['TCA'] as $tableName => $value) {
/********** from here ********/
//if no "listing access" for the table, skip this table (maybe must check "tables_modify", I don't know)
if (!$GLOBALS['BE_USER']->check('tables_select', $tableName)){
continue;
}
/********** to here ********/
$recordArray = $this->findByTable($tableName, $pageIdList, '0,' . $limit);
$recordCount = count($recordArray);
if ($recordCount) {
$limit = $limit - $recordCount;
$getRecordArray[] = $recordArray;
if ($limit <= 0) {
break;
}
}
}
return $getRecordArray;
}
I can provide patch, but for witch version of TYPO3?
Updated by micka no-lastname-given about 9 years ago
The "bug" was observed on the version 6.2.9
Updated by Frans Saris about 9 years ago
Olivier SC wrote:
[...]
I can provide patch, but for witch version of TYPO3?
Hi Olivier, if you create a patch this should normally always be for master.
Gr. Frans
Updated by Olivier SC about 9 years ago
How to reproduce :
- go to the TYPO3 demo website http://cms62.demo.typo3.org/typo3/ (v6.2.8 in January 2015)
- log in with "advanced_editor/password" (not an "admin" account)
- in the page tree, click on "Congratulations"
- in the "live search" field, write "introduction"
result => In the suggested results there is record : "Template : Introduction Package"
but "advanced_editor" is not admin and should not see this type of records.
Updated by Benni Mack almost 9 years ago
- Status changed from New to Accepted
- Target version set to 7.4 (Backend)
- Sprint Focus set to On Location Sprint
Updated by Gerrit Code Review almost 9 years ago
- Status changed from Accepted to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/41600
Updated by Tim Lochmüller almost 9 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset f317b7c6638c5889eed18032cbe5ca303af3fa20.
Updated by Anja Leichsenring over 8 years ago
- Sprint Focus deleted (
On Location Sprint)
Updated by Riccardo De Contardi over 6 years ago
- Status changed from Resolved to Closed