Bug #91753
Updated by Torben Hansen almost 4 years ago
With change #91221, the pagetree now uses the doctrine restriction builder to limit the amount of pages shown in the pagetree to those pages a user has access to.
In my opinion this is wrong, since the pagetree, like many other TYPO3 components (e.g. SuggestWizards, List Views) should use <code>$GLOBALS['BE_USER']->getPagePermsClause(Permission::PAGE_SHOW)</code> to restrict queries to pages a user has access to.
As an example, the <code>SuggestWizardDefaultReceiver</code> uses this as shown below:
<pre>
$this->queryBuilder->andWhere(
QueryHelper::stripLogicalOperatorPrefix($GLOBALS['BE_USER']->getPagePermsClause(Permission::PAGE_SHOW)),
$this->queryBuilder->expr()->eq('sys_language_uid', 0)
);
</pre>
The current implementation in the pagetree can be considered as a breaking change, since the query now does not respect query limitations set by hooks (e.g. <code>$TYPO3_CONF_VARS['SC_OPTIONS']['t3lib/class.t3lib_userauthgroup.php']['getPagePermsClause']</code>). This hook is at least used in one extension (ext:be_acl) and the change breaks the extension functionality.
Before the pagetree refactoring in V9, this <code>getPagePermsClause()</code> query restriction was also taken into account. See https://github.com/TYPO3/TYPO3.CMS/blob/TYPO3_8-7/typo3/sysext/backend/Classes/Tree/View/BrowseTreeView.php#L91
I opt for changing the query restrictions for the pagetree to use <code>getPagePermsClause()</code>, so page permission evaluation is consistent streamlined with other backend components and in order to fix the regression.