From 7c5c26eb2a16215c13cab04816075575f8d68f80 Mon Sep 17 00:00:00 2001
From: Christoph Lehmann <christoph.lehmann@networkteam.com>
Date: Wed, 13 Sep 2017 23:34:45 +0200
Subject: [PATCH] [BUGFIX] Make category tree filterable for editors with
 category mounts

TCEFORM.pages.categories.config.treeConfig.rootUid should filter
the category tree. Non-Admin users with category mounts currently
need every child category of rootUid in their category mounts
since the rootline of rootUid is not checked against the category
mounts.

Resolves: #78274
Releases: master,8.7,7.6
Change-Id: Id02ae69111df7397207939a034ed05797eb160ad
Reviewed-on: https://review.typo3.org/54138
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
---
 .../Security/CategoryPermissionsAspect.php    | 25 +++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/typo3/sysext/backend/Classes/Security/CategoryPermissionsAspect.php b/typo3/sysext/backend/Classes/Security/CategoryPermissionsAspect.php
index e385d0841247..bdef965731c6 100644
--- a/typo3/sysext/backend/Classes/Security/CategoryPermissionsAspect.php
+++ b/typo3/sysext/backend/Classes/Security/CategoryPermissionsAspect.php
@@ -65,6 +65,15 @@ class CategoryPermissionsAspect
 
             if (!empty($categoryMountPoints) && !empty($treeNodeCollection)) {
 
+                // Check the rootline against categoryMountPoints when tree was filtered
+                if ($dataProvider->getRootUid() !== null) {
+                    $uidsInRootline = $this->findUidsInRootline($dataProvider->getRootUid());
+                    if (!empty(array_intersect($categoryMountPoints, $uidsInRootline))) {
+                        // One of the parents was found in categoryMountPoints so all children are secure
+                        return;
+                    }
+                }
+
                 // First, remove all child nodes which must be analysed to be considered as "secure".
                 // The nodes were backed up in variable $treeNodeCollection beforehand.
                 $treeData->removeChildNodes();
@@ -118,4 +127,20 @@ class CategoryPermissionsAspect
         }
         return $result;
     }
+
+    /**
+     * Find parent uids in rootline
+     *
+     * @param integer $uid
+     * @return array
+     */
+    protected function findUidsInRootline($uid) {
+        $row = $GLOBALS['TYPO3_DB']->exec_SELECTgetSingleRow('parent', $this->categoryTableName, 'uid=' . (int)$uid);
+        $parentUids = [];
+        if ($row['parent'] > 0) {
+            $parentUids = $this->findUidsInRootline($row['parent']);
+            $parentUids[] = $row['parent'];
+        }
+        return $parentUids;
+    }
 }
-- 
GitLab