Bug #85482
closed
Ensure non-admin users cannot see whole page tree from root, and only the mount points he is assigned to.
0%
Description
I came out with a strange bug.
Using an extension that creates BE users, I made an incorrect configuration, and some non-admin users had the value of the "db_mountpoints" field set to 0 instead of NULL.
The users were in groups that had correctly configured mount points (22, 24). By merging these two pieces of information, users had a mount point list of "0,22,24"
When rendering the page tree in the BE, we could see the two mount points of the group (22 and 24) but also the whole tree from the root (0) exposing the whole site structure to non-authorized users. By clicking on pages that the user should not see, an error "#1289917924: You don't have access to this page" is thrown, hopefully...
Non-admin user should not see all pages from the root. We must therefore be ensured that this case does not occur.
Files
Updated by Presedo Roberto over 6 years ago
- File Bug_85482.patch Bug_85482.patch added
See attached patch
Updated by Stephan Großberndt over 6 years ago
In general non-admins may well be allowed to have access to the root page 0 - this very much depends on your setup.
Updated by Mathias Brodala over 6 years ago
Stephan Großberndt wrote:
In general non-admins may well be allowed to have access to the root page 0 - this very much depends on your setup.
But that's not possible normally since you cannot select the root page as mount in BE user groups.
Updated by Presedo Roberto over 6 years ago
Here is how this happens in BE
If a non-admin user has more than one MP, non of those MP should be root, right ??
Updated by Gerrit Code Review over 6 years ago
- Status changed from New to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57483
Updated by Gerrit Code Review over 6 years ago
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57483
Updated by Gerrit Code Review over 6 years ago
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57502
Updated by Gerrit Code Review over 6 years ago
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57503
Updated by Susanne Moog about 6 years ago
- Target version changed from 8.7.19 to Candidate for patchlevel
Updated by Gerrit Code Review about 6 years ago
Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57483
Updated by Gerrit Code Review about 6 years ago
Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57483
Updated by Jigal van Hemert about 6 years ago
- Status changed from Under Review to Rejected
As commented in Gerrit:
We will not fix this in the core. The interface does not allow this combination and the system reject a request for unauthorized user as described in the issue. The core is not responsible to handle and fix broken records, which ware created by third party code.
Therefore the issue is marked as rejected.
If you feel that this is incorrect this issue can be re-opened or a new issue can be filed (please link to this issue in that case).