Bug #67148
closed
Can only access first mount point
100%
Description
Since the merge of #64759, whenever a user has more than 1 mount point, he only can access the first one in File > List. Trying to access other ones crashes with:
#1375955684: You are not allowed to access the given folder
How-to reproduce¶
Let’s assume you have following directory structure:
fileadmin
directory1
directory1.1
directory1.2
Now you define two mount points on directory1.1 and directory1.2 and assign them to a simple user. When you log in and go to file list, you can successfully open mount point for directory1.1 but not for directory1.2 since \TYPO3\CMS\Core\Resource\Folder::getReadablePath does that:
if ($rootId === NULL) {
$rootId = $this->storage->getRootLevelFolder()->getIdentifier();
}
this method is called from FileList with rootId = NULL. As such it defines rootId as directory1.1 and then directory1.2 not being equal to directory1.1 it checks if you have access to parent folder (directory1) which is of course not the case:
if ($this->identifier !== $rootId) {
$readablePath = $this->getParentFolder()->getReadablePath($rootId);
}
in short you have access to first mount point and not any other.
Updated by Xavier Perseguers almost 9 years ago
- Subject changed from Cannot only access first mount point to Can only access first mount point
Updated by Xavier Perseguers almost 9 years ago
- Status changed from New to Accepted
Updated by Xavier Perseguers almost 9 years ago
Analyse¶
Problem is that a call to ->getParentFolder() will call in turn \TYPO3\CMS\Core\Resource\ResourceStorage::assureFolderReadPermission on it and this is why it crashes!
Updated by Gerrit Code Review almost 9 years ago
- Status changed from Accepted to Under Review
Patch set 1 for branch TYPO3_6-2 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/39747
Updated by Frans Saris almost 9 years ago
I think we should go for:
public function getReadablePath($rootId = NULL) {
$oldPermissionFlag = $this->getStorage()->getEvaluatePermissions();
$this->getStorage()->setEvaluatePermissions(FALSE);
if ($rootId === NULL) {
$rootId = $this->storage->getRootLevelFolder()->getIdentifier();
}
$readablePath = '';
if ($this->identifier !== $rootId) {
$readablePath = $this->getParentFolder()->getReadablePath($rootId);
}
$this->getStorage()->setEvaluatePermissions($oldPermissionFlag);
return $readablePath . $this->name . '/';
}
As information disclosure (naming of the full path) was no issue prior to the change, the temporary disabling of the permissions check isn't an issue.
Updated by Frans Saris almost 9 years ago
Will provide a patch tomorrow is not done by someone else already
Updated by Frans Saris almost 9 years ago
ok, issue is
if ($rootId === NULL) {
$rootId = $this->storage->getRootLevelFolder()->getIdentifier();
}
and not the permissions part. getRootLevelFolder() returns the first readable mount point instead "current" mount point.
Updated by Gerrit Code Review almost 9 years ago
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/39767
Updated by Gerrit Code Review almost 9 years ago
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/39767
Updated by Gerrit Code Review almost 9 years ago
Patch set 1 for branch TYPO3_6-2 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/39787
Updated by Frans Saris almost 9 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 11c26bf548dd1aa47974a4a62d6625e6759dbacf.
Updated by Riccardo De Contardi over 6 years ago
- Status changed from Resolved to Closed