Project

General

Profile

Actions
Copy link

Bug #85482

closed

Ensure non-admin users cannot see whole page tree from root, and only the mount points he is assigned to.

Added by Presedo Roberto over 6 years ago. Updated about 6 years ago.

Status:
Rejected
Priority:
Should have
Assignee:
Presedo Roberto
Category:
Backend User Interface
Target version:
Candidate for patchlevel
Start date:
2018-07-05
Due date:
% Done:

0%

Estimated time:
2.00 h
TYPO3 Version:
8
PHP Version:
7.1
Tags:
Complexity:
medium
Is Regression:
Sprint Focus:

Description

I came out with a strange bug.

Using an extension that creates BE users, I made an incorrect configuration, and some non-admin users had the value of the "db_mountpoints" field set to 0 instead of NULL.

The users were in groups that had correctly configured mount points (22, 24). By merging these two pieces of information, users had a mount point list of "0,22,24"

When rendering the page tree in the BE, we could see the two mount points of the group (22 and 24) but also the whole tree from the root (0) exposing the whole site structure to non-authorized users. By clicking on pages that the user should not see, an error "#1289917924: You don't have access to this page" is thrown, hopefully...

Non-admin user should not see all pages from the root. We must therefore be ensured that this case does not occur.

Files

Download all files
Bug_85482.patch (1.62 KB) Bug_85482.patch Presedo Roberto, 2018-07-05 01:27
Intranet__TYPO3_CMS_8_7_16_.png (222 KB) Intranet__TYPO3_CMS_8_7_16_.png Presedo Roberto, 2018-07-05 10:15
Actions
Copy link

Also available in: Atom PDF