From 228de96daad6cd58663a83c7dae6c20b42c14055 Mon Sep 17 00:00:00 2001
From: Stefan Froemken <froemken@gmail.com>
Date: Wed, 27 Jul 2016 09:34:54 +0200
Subject: [PATCH] [BUGFIX] Do not override hidden UC fields in user settings

While saving a user's uc record, all fields, which are set to disabled
in user TSconfig, are not touched anymore.
This is enforced by reducing the fields of showItem to the ones which
are allowed via user TSconfig.

Resolves: #77263
Releases: master, 7.6
Change-Id: Ib867efef731654373a3b1502c410ba5e182780e4
Reviewed-on: https://review.typo3.org/49224
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Joerg Boesche <typo3@joergboesche.de>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Martin Fox <kontakt@mlis.pl>
Tested-by: Martin Fox <kontakt@mlis.pl>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
---
 .../Controller/SetupModuleController.php      | 42 ++++++++++---------
 1 file changed, 22 insertions(+), 20 deletions(-)

diff --git a/typo3/sysext/setup/Classes/Controller/SetupModuleController.php b/typo3/sysext/setup/Classes/Controller/SetupModuleController.php
index 9d4a74017e10..cf5ce1907c3b 100644
--- a/typo3/sysext/setup/Classes/Controller/SetupModuleController.php
+++ b/typo3/sysext/setup/Classes/Controller/SetupModuleController.php
@@ -467,7 +467,11 @@ class SetupModuleController extends AbstractModule
         $fieldArray = $this->getFieldsFromShowItem();
         $tabLabel = '';
         foreach ($fieldArray as $fieldName) {
-            $more = '';
+            $config = $GLOBALS['TYPO3_USER_SETTINGS']['columns'][$fieldName];
+            if (isset($config['access']) && !$this->checkAccess($config)) {
+                continue;
+            }
+
             if (substr($fieldName, 0, 8) === '--div--;') {
                 if ($firstTabLabel === '') {
                     // First tab
@@ -483,28 +487,18 @@ class SetupModuleController extends AbstractModule
                 }
                 continue;
             }
-            $config = $GLOBALS['TYPO3_USER_SETTINGS']['columns'][$fieldName];
-
-            // Field my be disabled in setup.fields
-            if (isset($this->tsFieldConf[$fieldName . '.']['disabled']) && $this->tsFieldConf[$fieldName . '.']['disabled'] == 1) {
-                continue;
-            }
-            if (isset($config['access']) && !$this->checkAccess($config)) {
-                continue;
-            }
             $label = $this->getLabel($config['label'], $fieldName);
             $label = $this->getCSH($config['csh'] ?: $fieldName, $label);
             $type = $config['type'];
             $class = $config['class'];
-
             if ($type !== 'check') {
                 $class .= ' form-control';
             }
-
-            $style = $config['style'];
+            $more = '';
             if ($class) {
                 $more .= ' class="' . htmlspecialchars($class) . '"';
             }
+            $style = $config['style'];
             if ($style) {
                 $more .= ' style="' . htmlspecialchars($style) . '"';
             }
@@ -660,11 +654,9 @@ class SetupModuleController extends AbstractModule
     /**
      * Return a select with available languages
      *
-     * @param array $params
-     *
      * @return string Complete select as HTML string or warning box if something went wrong.
      */
-    public function renderLanguageSelect($params)
+    public function renderLanguageSelect()
     {
         $languageOptions = [];
         // Compile the languages dropdown
@@ -831,10 +823,9 @@ class SetupModuleController extends AbstractModule
      * @param string $str Locallang key
      * @param string $key Alternative override-config key
      * @param bool $addLabelTag Defines whether the string should be wrapped in a <label> tag.
-     * @param string $altLabelTagId Alternative id for use in "for" attribute of <label> tag. By default the $str key is used prepended with "field_".
      * @return string HTML output.
      */
-    protected function getLabel($str, $key = '', $addLabelTag = true, $altLabelTagId = '')
+    protected function getLabel($str, $key = '', $addLabelTag = true)
     {
         if (substr($str, 0, 4) === 'LLL:') {
             $out = htmlspecialchars($this->getLanguageService()->sL($str));
@@ -874,12 +865,23 @@ class SetupModuleController extends AbstractModule
 
     /**
      * Returns array with fields defined in $GLOBALS['TYPO3_USER_SETTINGS']['showitem']
+     * Remove fields which are disabled by user TSconfig
      *
-     * @return array Array with fieldnames visible in form
+     * @return string[] Array with field names visible in form
      */
     protected function getFieldsFromShowItem()
     {
-        return GeneralUtility::trimExplode(',', $GLOBALS['TYPO3_USER_SETTINGS']['showitem'], true);
+        $allowedFields = GeneralUtility::trimExplode(',', $GLOBALS['TYPO3_USER_SETTINGS']['showitem'], true);
+        foreach ($this->tsFieldConf as $fieldName => $userTsFieldConfig) {
+            if (!empty($userTsFieldConfig['disabled'])) {
+                $fieldName = rtrim($fieldName, '.');
+                $key = array_search($fieldName, $allowedFields);
+                if ($key !== false) {
+                    unset($allowedFields[$key]);
+                }
+            }
+        }
+        return $allowedFields;
     }
 
     /**
-- 
GitLab