From 5b4563b284df88f1eb04aeb54c95cf751bcb3416 Mon Sep 17 00:00:00 2001
From: Morton Jonuschat <m.jonuschat@mojocode.de>
Date: Fri, 20 May 2016 06:50:26 +0200
Subject: [PATCH] [BUGFIX] Fix page permissions SQL clause in
 BackendConfigurationManager

Instead of passing the simple value "1" to QueryGenerator->getTreeList()
use a page permission clause created using $BE_USER->getPagePermsClause()
when determining the recursive storage pids. Passing the unprocessed value
"1" causes invalid SQL statements and does not perform any access checks.

Releases: master, 7.6
Resolves: #75912
Change-Id: I6edadd627c0a9c01a78c3cb55805455fed710d14
Reviewed-on: https://review.typo3.org/48220
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Morton Jonuschat <m.jonuschat@mojocode.de>
Tested-by: Morton Jonuschat <m.jonuschat@mojocode.de>
---
 .../Configuration/BackendConfigurationManager.php   | 11 ++++++++++-
 .../BackendConfigurationManagerTest.php             | 13 +++++++++++++
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/typo3/sysext/extbase/Classes/Configuration/BackendConfigurationManager.php b/typo3/sysext/extbase/Classes/Configuration/BackendConfigurationManager.php
index 486b83997a36..6a0493c8c518 100644
--- a/typo3/sysext/extbase/Classes/Configuration/BackendConfigurationManager.php
+++ b/typo3/sysext/extbase/Classes/Configuration/BackendConfigurationManager.php
@@ -230,8 +230,9 @@ class BackendConfigurationManager extends \TYPO3\CMS\Extbase\Configuration\Abstr
 
         $recursiveStoragePids = '';
         $storagePids = \TYPO3\CMS\Core\Utility\GeneralUtility::intExplode(',', $storagePid);
+        $permsClause = $this->getBackendUser()->getPagePermsClause(1);
         foreach ($storagePids as $startPid) {
-            $pids = $this->queryGenerator->getTreeList($startPid, $recursionDepth, 0, 1);
+            $pids = $this->queryGenerator->getTreeList($startPid, $recursionDepth, 0, $permsClause);
             if ((string)$pids !== '') {
                 $recursiveStoragePids .= $pids . ',';
             }
@@ -239,4 +240,12 @@ class BackendConfigurationManager extends \TYPO3\CMS\Extbase\Configuration\Abstr
 
         return rtrim($recursiveStoragePids, ',');
     }
+
+    /**
+     * @return \TYPO3\CMS\Core\Authentication\BackendUserAuthentication
+     */
+    protected function getBackendUser()
+    {
+        return $GLOBALS['BE_USER'];
+    }
 }
diff --git a/typo3/sysext/extbase/Tests/Unit/Configuration/BackendConfigurationManagerTest.php b/typo3/sysext/extbase/Tests/Unit/Configuration/BackendConfigurationManagerTest.php
index 2eefaa41126e..638e82a32227 100644
--- a/typo3/sysext/extbase/Tests/Unit/Configuration/BackendConfigurationManagerTest.php
+++ b/typo3/sysext/extbase/Tests/Unit/Configuration/BackendConfigurationManagerTest.php
@@ -13,6 +13,7 @@ namespace TYPO3\CMS\Extbase\Tests\Unit\Configuration;
  *
  * The TYPO3 project - inspiring people to share!
  */
+use Prophecy\Prophecy\ObjectProphecy;
 
 /**
  * Test case
@@ -337,6 +338,12 @@ class BackendConfigurationManagerTest extends \TYPO3\CMS\Core\Tests\UnitTestCase
     {
         $storagePid = '1,2,3';
         $recursive = 99;
+
+        /** @var \TYPO3\CMS\Core\Authentication\BackendUserAuthentication|ObjectProphecy $beUserAuthentication */
+        $beUserAuthentication = $this->prophesize(\TYPO3\CMS\Core\Authentication\BackendUserAuthentication::class);
+        $beUserAuthentication->getPagePermsClause(1)->willReturn('1=1');
+        $GLOBALS['BE_USER'] = $beUserAuthentication->reveal();
+
         /** @var $abstractConfigurationManager \TYPO3\CMS\Extbase\Configuration\BackendConfigurationManager */
         $abstractConfigurationManager = $this->getAccessibleMock(\TYPO3\CMS\Extbase\Configuration\BackendConfigurationManager::class, array('overrideSwitchableControllerActions', 'getContextSpecificFrameworkConfiguration', 'getTypoScriptSetup', 'getPluginConfiguration', 'getSwitchableControllerActions'));
         $queryGenerator = $this->getMock(\TYPO3\CMS\Core\Database\QueryGenerator::class);
@@ -357,6 +364,12 @@ class BackendConfigurationManagerTest extends \TYPO3\CMS\Core\Tests\UnitTestCase
     {
         $storagePid = '1,2,-3';
         $recursive = 99;
+
+        /** @var \TYPO3\CMS\Core\Authentication\BackendUserAuthentication|ObjectProphecy $beUserAuthentication */
+        $beUserAuthentication = $this->prophesize(\TYPO3\CMS\Core\Authentication\BackendUserAuthentication::class);
+        $beUserAuthentication->getPagePermsClause(1)->willReturn('1=1');
+        $GLOBALS['BE_USER'] = $beUserAuthentication->reveal();
+
         /** @var $abstractConfigurationManager \TYPO3\CMS\Extbase\Configuration\BackendConfigurationManager */
         $abstractConfigurationManager = $this->getAccessibleMock(\TYPO3\CMS\Extbase\Configuration\BackendConfigurationManager::class, array('overrideSwitchableControllerActions', 'getContextSpecificFrameworkConfiguration', 'getTypoScriptSetup', 'getPluginConfiguration', 'getSwitchableControllerActions'));
         $queryGenerator = $this->getMock(\TYPO3\CMS\Core\Database\QueryGenerator::class);
-- 
GitLab