Project

General

Profile

Actions

Bug #87048

closed

File search searches in forbidden folders => InsufficientFolderAccessPermissionsException

Added by Philipp Seiler over 5 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Must have
Assignee:
-
Category:
File Abstraction Layer (FAL)
Target version:
-
Start date:
2018-11-30
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
11
PHP Version:
Tags:
search
Complexity:
Is Regression:
Sprint Focus:

Description

- A backend user has certain folder permissions in fileadmin, not the whole fileadmin directory.
- User searches in one of those folders, e.g. the letter "a".
- Within the searched folder, any file containing the letters "a" will be found.

- However: TYPO3 also searches for files by metadata!
- This includes files in user_upload directory.
- Any file in user_upload with the letter "a" will be found as well!
- user_upload is however not accessible by the user
- Therefore \TYPO3\CMS\Core\Resource\Exception\InsufficientFolderAccessPermissionsException is thrown.

Problem originates from \TYPO3\CMS\Core\Resource\FileRepository:
Here the searchByName-Method not only searches in the selected directory, but also metadata:

$fileRecords = $this->getFileIndexRepository()->findByFolders($folders, false, $fileName);
$fileRecords = array_merge($fileRecords, $this->getFileIndexRepository()->findBySearchWordInMetaData($fileName));

Quick solution

Simply remove the line which searches in metadata.

Proper solution

Respect accessible/forbidden folders when searching for files in the backend.


Related issues 2 (0 open2 closed)

Related to TYPO3 Core - Bug #87610: Filelist Search - Add constraint to avoid searching of records marked as missing.Closed2019-02-01

Actions
Related to TYPO3 Core - Bug #98423: The file tree search function in the filelist module only considers first filemount per storageResolved2022-09-22

Actions
Actions #1

Updated by Guido Schmechel over 5 years ago

There is patchset which is related to this issue: https://review.typo3.org/c/58985/

Actions #2

Updated by Susanne Moog over 5 years ago

  • Tags set to search
Actions #3

Updated by Markus Klein almost 5 years ago

  • Related to Bug #87610: Filelist Search - Add constraint to avoid searching of records marked as missing. added
Actions #4

Updated by Markus Klein almost 5 years ago

It is an intended feature to search in metadata too. IMO this is a good feature.
But of course it should not search in non-accessible stuff.

Besides that: I hope you correctly configured the default upload folder for the users then, if user_upload (the factory default) is not accessible.

Actions #5

Updated by Benni Mack over 2 years ago

  • Status changed from New to Needs Feedback

Since this is fixed since a few years (see Guido's remark), is this still a problem in TYPO3 v11?

Actions #6

Updated by Patrick Fischer almost 2 years ago

TYPO3 V11.5.15

I can't tell if it's the same error for me, but from the description here it seems to be along the same lines.

The error occurs for us when we filter in the file module with the new file list filter as a backend user, which only has access to certain subfolders of Fileadmin.

Error message Editor:
Navigation loading error
Got unexpected response from the server. Please check logs for details.

Error message in log:
Core: Exception handler (WEB): Uncaught TYPO3 Exception: #1375955684: You are not allowed to access the given folder: "" | TYPO3\CMS\Core\Resource\Exception\InsufficientFolderAccessPermissionsException thrown in file /app/public/typo3/sysext/core/Classes/Resource/ResourceStorage.php in line 857. Requested URL: https://www.example.com/typo3/ajax/filestorage/tree/filterData?token=--AnonymizedToken--&q=a

In our case, it is also the case that a backend user has specific folder permissions in fileadmin, not the entire fileadmin directory.

If you give the editors all permissions in fileadmin, no error occurs.
It seems that the new file list filter also tries to search inaccessible folders.

If I am in the wrong place, I can open a new forge.

Actions #7

Updated by Markus Klein almost 2 years ago

  • Status changed from Needs Feedback to New
  • TYPO3 Version changed from 9 to 11
Actions #8

Updated by Harald Glaser over 1 year ago

I experience the same error as described in comment #6 in Typo3 V11.5.16. Maybe some additional information is helpful for location the problem:

The layout of /fileadmin/ is as follows (actual folder names abstracted):
  • /fileadmin/share1
  • /fileadmin/container/subshare1
  • /fileadmin/container/subshare2
  • /fileadmin/share2

Each of the listed folders is configured as a filemount - but not /fileadmin/container/ as a whole, where only the folders on the next level are filemounts (and which does not contain files by itself).
Every user group has access to a specific set of filemounts.

For all users except admin the mentioned error occurs stating 'You are not allowed to access the given folder: "container" ' - even for users with access to all defined file mounts.
Making /fileadmin/container/ a filemount by itself and granting users access rights (not as a valid solution, but only as a test if the nested structure causes the trouble) only changes the error message to 'You are not allowed to access the given folder: "" '.

Actions #9

Updated by Gerrit Code Review over 1 year ago

  • Status changed from New to Under Review

Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/75851

Actions #10

Updated by Markus Klein over 1 year ago

I pushed a patch fixing the exception problem.

But it shows me a new bug: The search only considers the first filemount within a storage!
I will create a dedicated issue for this, as this is rather complex to solve

Actions #11

Updated by Markus Klein over 1 year ago

  • Related to Bug #98423: The file tree search function in the filelist module only considers first filemount per storage added
Actions #12

Updated by Gerrit Code Review over 1 year ago

Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/75851

Actions #13

Updated by Gerrit Code Review over 1 year ago

Patch set 3 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/75851

Actions #14

Updated by Gerrit Code Review over 1 year ago

Patch set 1 for branch 11.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/76178

Actions #15

Updated by Markus Klein over 1 year ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
Actions #16

Updated by Gerrit Code Review over 1 year ago

  • Status changed from Resolved to Under Review

Patch set 2 for branch 11.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/76178

Actions #17

Updated by Markus Klein over 1 year ago

  • Status changed from Under Review to Resolved
Actions #18

Updated by Benni Mack over 1 year ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF