Project

General

Profile

Actions

Bug #85482

closed

Ensure non-admin users cannot see whole page tree from root, and only the mount points he is assigned to.

Added by Presedo Roberto over 5 years ago. Updated over 5 years ago.

Status:
Rejected
Priority:
Should have
Category:
Backend User Interface
Start date:
2018-07-05
Due date:
% Done:

0%

Estimated time:
2.00 h
TYPO3 Version:
8
PHP Version:
7.1
Tags:
Complexity:
medium
Is Regression:
Sprint Focus:

Description

I came out with a strange bug.

Using an extension that creates BE users, I made an incorrect configuration, and some non-admin users had the value of the "db_mountpoints" field set to 0 instead of NULL.

The users were in groups that had correctly configured mount points (22, 24). By merging these two pieces of information, users had a mount point list of "0,22,24"

When rendering the page tree in the BE, we could see the two mount points of the group (22 and 24) but also the whole tree from the root (0) exposing the whole site structure to non-authorized users. By clicking on pages that the user should not see, an error "#1289917924: You don't have access to this page" is thrown, hopefully...

Non-admin user should not see all pages from the root. We must therefore be ensured that this case does not occur.


Files

Bug_85482.patch (1.62 KB) Bug_85482.patch Presedo Roberto, 2018-07-05 01:27
Intranet__TYPO3_CMS_8_7_16_.png (222 KB) Intranet__TYPO3_CMS_8_7_16_.png Presedo Roberto, 2018-07-05 10:15
Actions #1

Updated by Presedo Roberto over 5 years ago

  • Target version set to 8.7.19
Actions #2

Updated by Presedo Roberto over 5 years ago

See attached patch

Actions #3

Updated by Stephan Großberndt over 5 years ago

In general non-admins may well be allowed to have access to the root page 0 - this very much depends on your setup.

Actions #4

Updated by Mathias Brodala over 5 years ago

Stephan Großberndt wrote:

In general non-admins may well be allowed to have access to the root page 0 - this very much depends on your setup.

But that's not possible normally since you cannot select the root page as mount in BE user groups.

Actions #5

Updated by Presedo Roberto over 5 years ago

Here is how this happens in BE

If a non-admin user has more than one MP, non of those MP should be root, right ??

Actions #6

Updated by Gerrit Code Review over 5 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57483

Actions #7

Updated by Gerrit Code Review over 5 years ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57483

Actions #8

Updated by Gerrit Code Review over 5 years ago

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57502

Actions #9

Updated by Gerrit Code Review over 5 years ago

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57503

Actions #10

Updated by Susanne Moog over 5 years ago

  • Target version changed from 8.7.19 to Candidate for patchlevel
Actions #11

Updated by Gerrit Code Review over 5 years ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57483

Actions #12

Updated by Gerrit Code Review over 5 years ago

Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57483

Actions #13

Updated by Jigal van Hemert over 5 years ago

  • Status changed from Under Review to Rejected

As commented in Gerrit:
We will not fix this in the core. The interface does not allow this combination and the system reject a request for unauthorized user as described in the issue. The core is not responsible to handle and fix broken records, which ware created by third party code.

Therefore the issue is marked as rejected.

If you feel that this is incorrect this issue can be re-opened or a new issue can be filed (please link to this issue in that case).

Actions

Also available in: Atom PDF