Project

General

Profile

Actions

Bug #99103

closed

Filemounts with identical path are merged based on their title, which makes access rights unreliable

Added by Sebastian Klein about 2 years ago. Updated 5 months ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Backend User Interface
Target version:
-
Start date:
2022-11-16
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
12
PHP Version:
8.1
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Use case

  • Basic backend editors should get read-only access to a filemount.
  • Advanced users should be allowed to get full access to the same filemount.

Often enough, backend user rights are inherited between Backend usergroups and/or Backend users. This can lead to unexpected behaviour.

Example Filemounts:

UID Title base (Storage) path read_only
1 Content (read-only) 1 (fileadmin/) /content/ true
2 Content 1 (fileadmin/) /content/ false

Example Backend usergroups:

  • Basic rights (e.g. for page permissions)
  • Basic editors (w/ Filemount 1)
  • News editors (w/ Filemount 1)
  • Global editors (w/ Filemount 2)

Global editors will inherit the rights of Basic and News editors, including their read-only filemount. The Global editors additionally include the second filemount with full access.

Current behaviour

The filemount's title is crucial for loading order before the file mounts are processed and identical paths are merged.

In BackendUserAuthentification::getFileMountRecords() , the QueryBuilder's $orderBy is set to title (https://github.com/TYPO3-CMS/core/blob/11.5/Classes/Authentication/BackendUserAuthentication.php#L1405)

$fileMountRecords (https://github.com/TYPO3-CMS/core/blob/11.5/Classes/Authentication/BackendUserAuthentication.php#L1424) contains all assigned and active filemounts of a backend user, e.g.:

$fileMountRecords: Array
(
    [0] => Array
        (
            [uid] => 2
            [pid] => 0
            [tstamp] => 1413969481
            [title] => Content
            [path] => /content/
            [base] => 1
            [hidden] => 0
            [deleted] => 0
            [sorting] => 64
            [description] =>
            [read_only] => 0
        )

    [1] => Array
        (
            [uid] => 1
            [pid] => 0
            [tstamp] => 1668505723
            [title] => Content (read-only)
            [path] => /content/
            [base] => 1
            [hidden] => 0
            [deleted] => 0
            [sorting] => 1024
            [description] =>
            [read_only] => 1
        )
)

The following foreach() stores these records in $fileMountRecordCache , overwriting all records with the same identifier [1/content/].

Tested in TYPO3 v10, v11, and 12.0.

Note: In TYPO3 v12 the identifier [1/content/] is provided with a new variable identifier , replacing the combination of base + path .

Expected behaviour/possible solutions

A common title should never influence functionality in this way.

Usage of the filemount should either be based on:
  • loading order (last include in fallback chain of backend user rights); or
  • by extending given rights (same path with and without write access => write access granted).

Either way, this will be a breaking change for existing setups.

Workaround

Use filemount titles carefully to order them alphabetically:
  • Filemount with read-only: "Content (read-only)"
  • Filemount with full access: "Content (write)"
Actions #1

Updated by Gerrit Code Review over 1 year ago

  • Status changed from New to Under Review

Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/79654

Actions #2

Updated by Gerrit Code Review over 1 year ago

Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/79654

Actions #3

Updated by Gerrit Code Review over 1 year ago

Patch set 1 for branch 12.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/79690

Actions #4

Updated by Susanne Moog over 1 year ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
Actions #5

Updated by Benni Mack 5 months ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF