[BUGFIX] Ensure access check for module aliases

This patch extends the access checks for modules. This is done
by checking both the module identifier and potential aliases.

Resolves: #103967
Releases: main, 12.4
Change-Id: Ifc534356f75244ccac81b763bd624fe13f68aa72
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/84478


Tested-by: core-ci <typo3@b13.com>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Georg Ringer <georg.ringer@gmail.com>
Tested-by: Oliver Bartsch <bo@cedev.de>

typo3/sysext/backend/Classes/Module/ModuleProvider.php

@@ -231,9 +231,13 @@ class ModuleProvider
             return $user->isAdmin();
         }
 
-        // This checks if a user is permitted to access the module, being
-        // either admin or having necessary module access permissions set.
-        if ($user->isAdmin() || $user->check('modules', $identifier)) {
+        // This checks if a user is permitted to access the module as admin
+        if ($user->isAdmin()) {
+            return true;
+        }
+
+        // This checks if the user is having necessary module access permissions by either identifier or alias
+        if ($this->checkModuleAccess($user, $identifier)) {
             return true;
         }
 
@@ -266,4 +270,18 @@ class ModuleProvider
     {
         return array_filter($this->moduleRegistry->getModules(), static fn(ModuleInterface $module): bool => $module->getAccess() === 'user');
     }
+
+    /**
+     * Check if user has access to module based on the identifier or an alias for the identifier
+     */
+    protected function checkModuleAccess(BackendUserAuthentication $user, string $identifier): bool
+    {
+        if ($user->check('modules', $identifier)) {
+            return true;
+        }
+
+        $alias = array_search($identifier, $this->moduleRegistry->getModuleAliases(), true);
+
+        return $alias !== false && $user->check('modules', $alias);
+    }
 }

typo3/sysext/backend/Tests/Functional/Module/ModuleProviderTest.php

@@ -94,4 +94,53 @@ final class ModuleProviderTest extends FunctionalTestCase
 
         self::assertTrue($moduleProvider->accessGranted('all_workspaces', $user)); // 1=workspace is allowed
     }
+
+    #[Test]
+    public function moduleAccessOfUserIsChecked(): void
+    {
+        $parentModule = $this->get(ModuleFactory::class)->createModule(
+            'parent_module',
+            [
+                'access' => 'admin',
+            ]
+        );
+
+        $subModule = $this->get(ModuleFactory::class)->createModule(
+            'sub_module',
+            [
+                'parent' => 'parent_module',
+                'access' => 'user',
+            ]
+        );
+
+        $anotherSubModule = $this->get(ModuleFactory::class)->createModule(
+            'another_sub_module',
+            [
+                'parent' => 'parent_module',
+                'access' => 'user',
+            ]
+        );
+
+        $subModuleWithAlias = $this->get(ModuleFactory::class)->createModule(
+            'sub_module_with_alias',
+            [
+                'parent' => 'parent_module',
+                'aliases' => ['sub_module_alias'],
+                'access' => 'user',
+            ]
+        );
+
+        $moduleRegistry = new ModuleRegistry([$parentModule, $subModule, $anotherSubModule, $subModuleWithAlias]);
+        $moduleProvider = new ModuleProvider($moduleRegistry);
+
+        $user = new BackendUserAuthentication();
+        $user->workspace = 0;
+        $user->groupData['modules'] = 'another_sub_module,sub_module_alias';
+
+        self::assertFalse($moduleProvider->accessGranted('parent_module', $user));
+        self::assertFalse($moduleProvider->accessGranted('sub_module', $user));
+        self::assertTrue($moduleProvider->accessGranted('another_sub_module', $user));
+        self::assertTrue($moduleProvider->accessGranted('sub_module_with_alias', $user));
+        self::assertTrue($moduleProvider->accessGranted('sub_module_alias', $user));
+    }
 }