Bug #85482

Ensure non-admin users cannot see whole page tree from root, and only the mount points he is assigned to.

Added by Presedo Roberto about 1 year ago. Updated 11 months ago.

Status:
Rejected
Priority:
Should have
Category:
Backend User Interface
Start date:
2018-07-05
Due date:
% Done:

0%

Estimated time:
2.00 h
TYPO3 Version:
8
PHP Version:
7.1
Tags:
Complexity:
medium
Is Regression:
Sprint Focus:

Description

I came out with a strange bug.

Using an extension that creates BE users, I made an incorrect configuration, and some non-admin users had the value of the "db_mountpoints" field set to 0 instead of NULL.

The users were in groups that had correctly configured mount points (22, 24). By merging these two pieces of information, users had a mount point list of "0,22,24"

When rendering the page tree in the BE, we could see the two mount points of the group (22 and 24) but also the whole tree from the root (0) exposing the whole site structure to non-authorized users. By clicking on pages that the user should not see, an error "#1289917924: You don't have access to this page" is thrown, hopefully...

Non-admin user should not see all pages from the root. We must therefore be ensured that this case does not occur.

Bug_85482.patch View (1.62 KB) Presedo Roberto, 2018-07-05 01:27

Intranet__TYPO3_CMS_8_7_16_.png View (222 KB) Presedo Roberto, 2018-07-05 10:15

History

#1 Updated by Presedo Roberto about 1 year ago

  • Target version set to 8.7.19

#2 Updated by Presedo Roberto about 1 year ago

See attached patch

#3 Updated by Stephan Großberndt about 1 year ago

In general non-admins may well be allowed to have access to the root page 0 - this very much depends on your setup.

#4 Updated by Mathias Brodala about 1 year ago

Stephan Großberndt wrote:

In general non-admins may well be allowed to have access to the root page 0 - this very much depends on your setup.

But that's not possible normally since you cannot select the root page as mount in BE user groups.

#5 Updated by Presedo Roberto about 1 year ago

Here is how this happens in BE

If a non-admin user has more than one MP, non of those MP should be root, right ??

#6 Updated by Gerrit Code Review about 1 year ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57483

#7 Updated by Gerrit Code Review about 1 year ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57483

#8 Updated by Gerrit Code Review about 1 year ago

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57502

#9 Updated by Gerrit Code Review about 1 year ago

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57503

#10 Updated by Susanne Moog 12 months ago

  • Target version changed from 8.7.19 to Candidate for patchlevel

#11 Updated by Gerrit Code Review 11 months ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57483

#12 Updated by Gerrit Code Review 11 months ago

Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57483

#13 Updated by Jigal van Hemert 11 months ago

  • Status changed from Under Review to Rejected

As commented in Gerrit:
We will not fix this in the core. The interface does not allow this combination and the system reject a request for unauthorized user as described in the issue. The core is not responsible to handle and fix broken records, which ware created by third party code.

Therefore the issue is marked as rejected.

If you feel that this is incorrect this issue can be re-opened or a new issue can be filed (please link to this issue in that case).

Also available in: Atom PDF