Bug #83547

previewLinks in Workspaces and broken rootline

Added by Alexander Opitz 4 days ago. Updated 4 days ago.

Status:
Under Review
Priority:
Should have
Category:
Workspaces
Start date:
2018-01-12
Due date:
% Done:

0%

TYPO3 Version:
7
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

What I did

Actually result
TYPO3 Exception
Broken rootline. Could not resolve page with uid XXX

Awaited result

Showing a preview of the site defined in the preview link.
--

While tracing this issue, I found it has pre complex conditions to happen.
  • We need two workspaces, which need to have different "db_mountpoints" defined, without overlapping rootline
  • Switch to workspace one
  • Create a new page
  • Create a previewlink for this new page in the workspace modul.
  • Test previewlink in another browser => Works
  • Switch to workspace two
  • Test previewlink in another browser => Exception

History

#1 Updated by Alexander Opitz 4 days ago

The problem is inside

/typo3/sysext/workspaces/Classes/Hook/PreviewHook.php:140 ff

// Either use configured workspace mount (of the workspace) or current page id
if (empty($tempBackendUser->groupData['webmounts'])) {
    $tempBackendUser->groupData['webmounts'] = !empty($workspaceRecord['db_mountpoints']) ? $workspaceRecord['db_mountpoints'] : $pObj->id;
}

The $tempBackendUser->groupData['webmounts'] will contain the webmounts of the BE user who generated this preview link, so if he switched to another workspace with db_mountpoints out of the scope of our page to view, we are off.

But removing this line may lead to a security issue, if the db_mountpoints of the be_user is deeper then the one of the workspace ... he could then see pages out of his scope inside the preview.

We could add, before calling $tempBackendUser->fetchGroupData(); something like

$tempBackendUser->user['workspace_id'] = $workspaceUid;

but the function fetchGroupData() calls workspaceInit() which may lead to workspace change on user record.

Maybe it helps todo before $tempBackendUser->fetchGroupData(); (but it is a bit fragile IMHO):

$tempBackendUser->setTemporaryWorkspace($workspaceUid);
$tempBackendUser->user['workspace_id'] = $workspaceUid;

#2 Updated by Gerrit Code Review 4 days ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/55341

Also available in: Atom PDF