[BUGFIX] Fix page permissions SQL clause in BackendConfigurationManager
Instead of passing the simple value "1" to QueryGenerator->getTreeList() use a page permission clause created using $BE_USER->getPagePermsClause() when determining the recursive storage pids. Passing the unprocessed value "1" causes invalid SQL statements and does not perform any access checks. Releases: master, 7.6 Resolves: #75912 Change-Id: I6edadd627c0a9c01a78c3cb55805455fed710d14 Reviewed-on: https://review.typo3.org/48220 Reviewed-by:Markus Klein <markus.klein@typo3.org> Tested-by:
Wouter Wolters <typo3@wouterwolters.nl> Tested-by:
Morton Jonuschat <m.jonuschat@mojocode.de> Tested-by:
Showing
- typo3/sysext/extbase/Classes/Configuration/BackendConfigurationManager.php 10 additions, 1 deletion...ase/Classes/Configuration/BackendConfigurationManager.php
- typo3/sysext/extbase/Tests/Unit/Configuration/BackendConfigurationManagerTest.php 13 additions, 0 deletions...ts/Unit/Configuration/BackendConfigurationManagerTest.php
Please register or sign in to comment