Bug #91753
closed
Pagetree not respecting getPagePermsClause()
100%
Description
With change #91221, the pagetree now uses the doctrine restriction builder to limit the amount of pages shown in the pagetree to those pages a user has access to.
In my opinion this is wrong, since the pagetree, like many other TYPO3 components (e.g. SuggestWizards, List Views) should use $GLOBALS['BE_USER']->getPagePermsClause(Permission::PAGE_SHOW) to restrict queries to pages a user has access to.
As an example, the SuggestWizardDefaultReceiver uses this as shown below:
$this->queryBuilder->andWhere(
QueryHelper::stripLogicalOperatorPrefix($GLOBALS['BE_USER']->getPagePermsClause(Permission::PAGE_SHOW)),
$this->queryBuilder->expr()->eq('sys_language_uid', 0)
);
The current implementation in the pagetree can be considered as a breaking change, since the query now does not respect query limitations set by hooks (e.g. $TYPO3_CONF_VARS['SC_OPTIONS']['t3lib/class.t3lib_userauthgroup.php']['getPagePermsClause']). This hook is at least used in one extension (ext:be_acl) and the change breaks the extension functionality.
Before the pagetree refactoring in V9, this getPagePermsClause() query restriction was also taken into account. See https://github.com/TYPO3/TYPO3.CMS/blob/TYPO3_8-7/typo3/sysext/backend/Classes/Tree/View/BrowseTreeView.php#L91
I opt for changing the query restrictions for the pagetree to use getPagePermsClause(), so page permission evaluation is consistent with other backend components and in order to fix the regression.
Updated by 
Updated by 
Updated by