From 448ad365f3fb7ede8f79835b056decce66fa949b Mon Sep 17 00:00:00 2001
From: Ingo Fabbri <inf@mmc-agentur.at>
Date: Thu, 22 Jul 2021 21:17:56 +0200
Subject: [PATCH] [BUGFIX] Prevent workspace access checks for dummy user

The backend usergroup compare view requires to fetch the
group data of the groups to compare. Since this operation
depends on a user array, UserInformationService creates
such dummy user.

Since #93233 the dummy user array also contains a workspace
id `-99`.

To successfully overcome workspace access-checks, set
the admin-flag for this fake-user. Use workspace uid 0,
to avoid any database operations on workspace access
checks. Workspace 0 additionally prevents the log-message,
which led to the exception message described at #93894.

Resolves: #93894
Related: #93233
Releases: master, 11.5
Change-Id: Ieb5da95082cb6dfd5c030fbd04d735863d587510
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/70056
Tested-by: core-ci <typo3@b13.com>
Tested-by: Jochen <rothjochen@gmail.com>
Tested-by: Nikita Hovratov <nikita.h@live.de>
Tested-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Jochen <rothjochen@gmail.com>
Reviewed-by: Nikita Hovratov <nikita.h@live.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
---
 .../Service/UserInformationService.php        |  8 +++++-
 .../BackendUserGroup/PaginatedList.html       |  2 +-
 .../BackendUser/CompareUserCest.php           | 28 +++++++++++++++++++
 3 files changed, 36 insertions(+), 2 deletions(-)

diff --git a/typo3/sysext/beuser/Classes/Service/UserInformationService.php b/typo3/sysext/beuser/Classes/Service/UserInformationService.php
index ffb96902bde4..001bc354ef5d 100644
--- a/typo3/sysext/beuser/Classes/Service/UserInformationService.php
+++ b/typo3/sysext/beuser/Classes/Service/UserInformationService.php
@@ -57,12 +57,18 @@ class UserInformationService
         $user->enablecolumns = [
             'deleted' => true,
         ];
+
         // Setup dummy user to allow fetching all group data
         // @see \TYPO3\CMS\Core\Authentication\BackendUserAuthentication::fetchGroups
         $user->user = [
             'uid' => PHP_INT_MAX,
             'options' => 3,
-            'workspace_id' => -99,
+            // The below admin flag is required to prevent workspace access checks,
+            // triggered by workspaceInit() in fetchGroupData(). Those would fail
+            // due to insufficient permissions of the dummy user and therefore might
+            // result in generating superfluous log entries.
+            'admin' => 1,
+            'workspace_id' => 0,
             'realName' => 'fakeUser',
             'email' => 'fake.user@typo3.org',
             'TSconfig' => '',
diff --git a/typo3/sysext/beuser/Resources/Private/Partials/BackendUserGroup/PaginatedList.html b/typo3/sysext/beuser/Resources/Private/Partials/BackendUserGroup/PaginatedList.html
index f175c1cdcf8c..2c59f8f92cf2 100644
--- a/typo3/sysext/beuser/Resources/Private/Partials/BackendUserGroup/PaginatedList.html
+++ b/typo3/sysext/beuser/Resources/Private/Partials/BackendUserGroup/PaginatedList.html
@@ -1,5 +1,5 @@
 <div class="table-fit">
-    <table class="table table-striped table-hover">
+    <table id="typo3-backend-user-group-list" class="table table-striped table-hover">
         <thead>
         <tr>
             <th class="col-icon"></th>
diff --git a/typo3/sysext/core/Tests/Acceptance/Application/BackendUser/CompareUserCest.php b/typo3/sysext/core/Tests/Acceptance/Application/BackendUser/CompareUserCest.php
index 05eb069b005e..f3e8ce411759 100644
--- a/typo3/sysext/core/Tests/Acceptance/Application/BackendUser/CompareUserCest.php
+++ b/typo3/sysext/core/Tests/Acceptance/Application/BackendUser/CompareUserCest.php
@@ -70,4 +70,32 @@ class CompareUserCest
         $I->waitForElementVisible('#EditDocumentController');
         $I->canSee('Edit Backend user "' . $usernameFirstCompare . '" on root level');
     }
+
+    /**
+     * @param ApplicationTester $I
+     */
+    public function accessingBackendUserCompareViewWorks(ApplicationTester $I): void
+    {
+        $I->amGoingTo('Switch to user group listing');
+        $I->see('Backend User Listing', 'h1');
+        $I->selectOption('.t3-js-jumpMenuBox', 'Backend user groups');
+        $I->see('Backend User Group Listing', 'h1');
+
+        $I->amGoingTo('Add three groups to compare');
+        $I->click('#typo3-backend-user-group-list > tbody > tr:nth-child(1) > td.col-control > div:nth-child(3) > a');
+        $I->waitForElementVisible('table#typo3-backend-user-group-list');
+        $I->click('#typo3-backend-user-group-list > tbody > tr:nth-child(2) > td.col-control > div:nth-child(3) > a');
+        $I->waitForElementVisible('table#typo3-backend-user-group-list');
+        $I->click('#typo3-backend-user-group-list > tbody > tr:nth-child(3) > td.col-control > div:nth-child(3) > a');
+
+        $I->amGoingTo('Access the user group compare view');
+        $I->waitForElementVisible('table#typo3-backend-user-list-compare', 20);
+        $I->canSeeNumberOfElements('#typo3-backend-user-list-compare tbody tr', 3);
+        $I->click('Compare backend usergroups');
+
+        $I->amGoingTo('Check compare view is loaded with the correct number of groups');
+        $I->see('Compare backend usergroups', 'h1');
+        // We expect four header columns, since the first one is used for the row labels
+        $I->canSeeNumberOfElements('#tx_beuser_compare > thead > tr > th', 4);
+    }
 }
-- 
GitLab