From 45a002359f849d5919d1e5e5bd857e8ecf38bc6f Mon Sep 17 00:00:00 2001
From: Benni Mack <benni@typo3.org>
Date: Fri, 6 Oct 2017 17:34:52 +0200
Subject: [PATCH] [BUGFIX] Only access FAL security checks when in Backend

The FAL security checks which adds additional checks for Backend Users
are currently placed within TYPO3_MODE === BE which applies to CLI as well.

In order to even use the FAL API via CLI, a user has to be authenticated (just for
browsing files). Therefore, the check needs to be handled via TYPO3_REQUEST_TYPE
which excludes symfony commands on CLI basis.

Additionally, the REQUEST TYPE checks are handled within the Slot and not
when to register the hook (see other cleanup patch as well).

Resolves: #82691
Releases: master, 8.7
Change-Id: I7b895a119a17ea166331eb1dbcb75e57fffbd388
Reviewed-on: https://review.typo3.org/54315
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Frans Saris <franssaris@gmail.com>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Andreas Fernandez <typo3@scripting-base.de>
Reviewed-by: Joerg Boesche <typo3@joergboesche.de>
Reviewed-by: Susanne Moog <susanne.moog@typo3.org>
Tested-by: Susanne Moog <susanne.moog@typo3.org>
Reviewed-by: Henning Liebe <h.liebe@neusta.de>
Reviewed-by: Daniel Gorges <daniel.gorges@b13.de>
Tested-by: Daniel Gorges <daniel.gorges@b13.de>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
---
 .../Security/CategoryPermissionsAspect.php        |  4 ++--
 typo3/sysext/backend/ext_localconf.php            | 15 ++++++++-------
 .../Security/StoragePermissionsAspect.php         |  2 +-
 typo3/sysext/core/ext_localconf.php               | 15 ++++++++-------
 4 files changed, 19 insertions(+), 17 deletions(-)

diff --git a/typo3/sysext/backend/Classes/Security/CategoryPermissionsAspect.php b/typo3/sysext/backend/Classes/Security/CategoryPermissionsAspect.php
index 3154e5af4e65..65648ba40b04 100644
--- a/typo3/sysext/backend/Classes/Security/CategoryPermissionsAspect.php
+++ b/typo3/sysext/backend/Classes/Security/CategoryPermissionsAspect.php
@@ -47,14 +47,14 @@ class CategoryPermissionsAspect
     }
 
     /**
-     * The slot for the signal in DatabaseTreeDataProvider.
+     * The slot for the signal in DatabaseTreeDataProvider, which only affects the TYPO3 Backend
      *
      * @param DatabaseTreeDataProvider $dataProvider
      * @param TreeNode $treeData
      */
     public function addUserPermissionsToCategoryTreeData(DatabaseTreeDataProvider $dataProvider, $treeData)
     {
-        if (!$this->backendUserAuthentication->isAdmin() && $dataProvider->getTableName() === $this->categoryTableName) {
+        if ((TYPO3_REQUESTTYPE & TYPO3_REQUESTTYPE_BE) && !$this->backendUserAuthentication->isAdmin() && $dataProvider->getTableName() === $this->categoryTableName) {
 
             // Get User permissions related to category
             $categoryMountPoints = $this->backendUserAuthentication->getCategoryMountPoints();
diff --git a/typo3/sysext/backend/ext_localconf.php b/typo3/sysext/backend/ext_localconf.php
index 106bc7889acf..65af364af005 100644
--- a/typo3/sysext/backend/ext_localconf.php
+++ b/typo3/sysext/backend/ext_localconf.php
@@ -1,14 +1,15 @@
 <?php
 defined('TYPO3_MODE') or die();
 
-if (TYPO3_MODE === 'BE') {
-    \TYPO3\CMS\Core\Utility\GeneralUtility::makeInstance(\TYPO3\CMS\Extbase\SignalSlot\Dispatcher::class)->connect(
-        \TYPO3\CMS\Core\Tree\TableConfiguration\DatabaseTreeDataProvider::class,
-        \TYPO3\CMS\Core\Tree\TableConfiguration\DatabaseTreeDataProvider::SIGNAL_PostProcessTreeData,
-        \TYPO3\CMS\Backend\Security\CategoryPermissionsAspect::class,
-        'addUserPermissionsToCategoryTreeData'
-    );
+// sys_category tree check, which only affects Backend Users
+\TYPO3\CMS\Core\Utility\GeneralUtility::makeInstance(\TYPO3\CMS\Extbase\SignalSlot\Dispatcher::class)->connect(
+    \TYPO3\CMS\Core\Tree\TableConfiguration\DatabaseTreeDataProvider::class,
+    \TYPO3\CMS\Core\Tree\TableConfiguration\DatabaseTreeDataProvider::SIGNAL_PostProcessTreeData,
+    \TYPO3\CMS\Backend\Security\CategoryPermissionsAspect::class,
+    'addUserPermissionsToCategoryTreeData'
+);
 
+if (TYPO3_MODE === 'BE') {
     $GLOBALS['TYPO3_CONF_VARS']['BE']['toolbarItems'][1435433106] = \TYPO3\CMS\Backend\Backend\ToolbarItems\ClearCacheToolbarItem::class;
     $GLOBALS['TYPO3_CONF_VARS']['BE']['toolbarItems'][1435433107] = \TYPO3\CMS\Backend\Backend\ToolbarItems\HelpToolbarItem::class;
     $GLOBALS['TYPO3_CONF_VARS']['BE']['toolbarItems'][1435433108] = \TYPO3\CMS\Backend\Backend\ToolbarItems\LiveSearchToolbarItem::class;
diff --git a/typo3/sysext/core/Classes/Resource/Security/StoragePermissionsAspect.php b/typo3/sysext/core/Classes/Resource/Security/StoragePermissionsAspect.php
index d67db114a393..8d7a5d78ee02 100644
--- a/typo3/sysext/core/Classes/Resource/Security/StoragePermissionsAspect.php
+++ b/typo3/sysext/core/Classes/Resource/Security/StoragePermissionsAspect.php
@@ -60,7 +60,7 @@ class StoragePermissionsAspect
      */
     public function addUserPermissionsToStorage(ResourceFactory $resourceFactory, ResourceStorage $storage)
     {
-        if (!$this->backendUserAuthentication->isAdmin()) {
+        if ((TYPO3_REQUESTTYPE & TYPO3_REQUESTTYPE_BE) && !$this->backendUserAuthentication->isAdmin()) {
             $storage->setEvaluatePermissions(true);
             if ($storage->getUid() > 0) {
                 $storage->setUserPermissions($this->backendUserAuthentication->getFilePermissionsForStorage($storage));
diff --git a/typo3/sysext/core/ext_localconf.php b/typo3/sysext/core/ext_localconf.php
index 5643778bef09..bd929ad92014 100644
--- a/typo3/sysext/core/ext_localconf.php
+++ b/typo3/sysext/core/ext_localconf.php
@@ -5,14 +5,15 @@ defined('TYPO3_MODE') or die();
 /** @var \TYPO3\CMS\Extbase\SignalSlot\Dispatcher $signalSlotDispatcher */
 $signalSlotDispatcher = \TYPO3\CMS\Core\Utility\GeneralUtility::makeInstance(\TYPO3\CMS\Extbase\SignalSlot\Dispatcher::class);
 
+// FAL security checks for backend users
+$signalSlotDispatcher->connect(
+    \TYPO3\CMS\Core\Resource\ResourceFactory::class,
+    \TYPO3\CMS\Core\Resource\ResourceFactoryInterface::SIGNAL_PostProcessStorage,
+    \TYPO3\CMS\Core\Resource\Security\StoragePermissionsAspect::class,
+    'addUserPermissionsToStorage'
+);
+
 if (TYPO3_MODE === 'BE' && !(TYPO3_REQUESTTYPE & TYPO3_REQUESTTYPE_INSTALL)) {
-    // FAL SECURITY CHECKS
-    $signalSlotDispatcher->connect(
-        \TYPO3\CMS\Core\Resource\ResourceFactory::class,
-        \TYPO3\CMS\Core\Resource\ResourceFactoryInterface::SIGNAL_PostProcessStorage,
-        \TYPO3\CMS\Core\Resource\Security\StoragePermissionsAspect::class,
-        'addUserPermissionsToStorage'
-    );
     $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_tcemain.php']['processDatamapClass'][] = \TYPO3\CMS\Core\Resource\Security\FileMetadataPermissionsAspect::class;
     $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_tcemain.php']['processDatamapClass'][] = \TYPO3\CMS\Core\Hooks\BackendUserGroupIntegrityCheck::class;
     $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['typo3/alt_doc.php']['makeEditForm_accessCheck'][] = \TYPO3\CMS\Core\Resource\Security\FileMetadataPermissionsAspect::class . '->isAllowedToShowEditForm';
-- 
GitLab