From 99af82fb0198302a69d49b0452d804ee0f10d46c Mon Sep 17 00:00:00 2001
From: Benni Mack <benni@typo3.org>
Date: Tue, 5 May 2020 15:28:09 +0200
Subject: [PATCH] [BUGFIX] Lift restriction for restricted records in Routing
 Aspects

Since TYPO3 v9.5.16 it is not possible anymore to resolve URLs with an
Aspect that contains records with fe_group restrictions. This is due to
a legacy solution that the Frontend User is actually initialized early enough
but the groups are resolved within $TSFE->determineId() at a later point.

For this reason, Routing does not handle fe_group restrictions, but the
plugin should take care of that for the time being.

Future TYPO3 versions can decide to resolve the fe_group restrictions earlier,
but this would be a breaking change of behaviour of the Frontend
Request Workflow for TYPO3 v10 + v9.

Resolves: #91049
Releases: master, 9.5
Change-Id: I0e57768f5358dc06101acdca374b9c872a65c865
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64408
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Krystian Szymukowicz <k.szymukowicz@gmail.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>
---
 .../core/Classes/Routing/Aspect/PersistedAliasMapper.php    | 4 ++++
 .../core/Classes/Routing/Aspect/PersistedPatternMapper.php  | 4 ++++
 .../Functional/Routing/Aspect/PersistedAliasMapperTest.php  | 6 ++++--
 .../Routing/Aspect/PersistedPatternMapperTest.php           | 6 ++++--
 4 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/typo3/sysext/core/Classes/Routing/Aspect/PersistedAliasMapper.php b/typo3/sysext/core/Classes/Routing/Aspect/PersistedAliasMapper.php
index 17d2ed1b58de..79b3308bd90b 100644
--- a/typo3/sysext/core/Classes/Routing/Aspect/PersistedAliasMapper.php
+++ b/typo3/sysext/core/Classes/Routing/Aspect/PersistedAliasMapper.php
@@ -24,6 +24,7 @@ use TYPO3\CMS\Core\Context\ContextAwareTrait;
 use TYPO3\CMS\Core\Context\LanguageAspectFactory;
 use TYPO3\CMS\Core\Database\ConnectionPool;
 use TYPO3\CMS\Core\Database\Query\QueryBuilder;
+use TYPO3\CMS\Core\Database\Query\Restriction\FrontendGroupRestriction;
 use TYPO3\CMS\Core\Database\Query\Restriction\FrontendRestrictionContainer;
 use TYPO3\CMS\Core\Domain\Repository\PageRepository;
 use TYPO3\CMS\Core\Routing\Legacy\PersistedAliasMapperLegacyTrait;
@@ -255,6 +256,9 @@ class PersistedAliasMapper implements PersistedMappableAspectInterface, StaticMa
         $queryBuilder->setRestrictions(
             GeneralUtility::makeInstance(FrontendRestrictionContainer::class, $this->context)
         );
+        // Frontend Groups are not available at this time (initialized via TSFE->determineId)
+        // So this must be excluded to allow access restricted records
+        $queryBuilder->getRestrictions()->removeByType(FrontendGroupRestriction::class);
         return $queryBuilder;
     }
 
diff --git a/typo3/sysext/core/Classes/Routing/Aspect/PersistedPatternMapper.php b/typo3/sysext/core/Classes/Routing/Aspect/PersistedPatternMapper.php
index cab3a2dce15c..e1db676fe99e 100644
--- a/typo3/sysext/core/Classes/Routing/Aspect/PersistedPatternMapper.php
+++ b/typo3/sysext/core/Classes/Routing/Aspect/PersistedPatternMapper.php
@@ -24,6 +24,7 @@ use TYPO3\CMS\Core\Context\ContextAwareTrait;
 use TYPO3\CMS\Core\Context\LanguageAspectFactory;
 use TYPO3\CMS\Core\Database\ConnectionPool;
 use TYPO3\CMS\Core\Database\Query\QueryBuilder;
+use TYPO3\CMS\Core\Database\Query\Restriction\FrontendGroupRestriction;
 use TYPO3\CMS\Core\Database\Query\Restriction\FrontendRestrictionContainer;
 use TYPO3\CMS\Core\Domain\Repository\PageRepository;
 use TYPO3\CMS\Core\Routing\Legacy\PersistedPatternMapperLegacyTrait;
@@ -254,6 +255,9 @@ class PersistedPatternMapper implements PersistedMappableAspectInterface, Static
         $queryBuilder->setRestrictions(
             GeneralUtility::makeInstance(FrontendRestrictionContainer::class, $this->context)
         );
+        // Frontend Groups are not available at this time (initialized via TSFE->determineId)
+        // So this must be excluded to allow access restricted records
+        $queryBuilder->getRestrictions()->removeByType(FrontendGroupRestriction::class);
         return $queryBuilder;
     }
 
diff --git a/typo3/sysext/core/Tests/Functional/Routing/Aspect/PersistedAliasMapperTest.php b/typo3/sysext/core/Tests/Functional/Routing/Aspect/PersistedAliasMapperTest.php
index 828449239801..ff8b851af62d 100644
--- a/typo3/sysext/core/Tests/Functional/Routing/Aspect/PersistedAliasMapperTest.php
+++ b/typo3/sysext/core/Tests/Functional/Routing/Aspect/PersistedAliasMapperTest.php
@@ -262,10 +262,11 @@ class PersistedAliasMapperTest extends FunctionalTestCase
                 ['slug' => 'hidden-visibility-slug', 'uid' => '4051'],
                 false,
             ],
+            // fe_group slugs are always considered
             'restricted-visibility-slug, raw context' => [
                 $rawContext,
                 ['slug' => 'restricted-visibility-slug', 'uid' => '4052'],
-                false,
+                true,
             ],
             'scheduled-visibility-slug, raw context' => [
                 $rawContext,
@@ -277,10 +278,11 @@ class PersistedAliasMapperTest extends FunctionalTestCase
                 ['slug' => 'hidden-visibility-slug', 'uid' => '4051'],
                 true,
             ],
+            // fe_group slugs are always considered
             'restricted-visibility-slug, frontend-groups context (13)' => [
                 $frontendGroupsContext,
                 ['slug' => 'restricted-visibility-slug', 'uid' => '4052'],
-                false, // @todo actually `true`, FrontendGroupRestriction does not support Context, yet
+                true,
             ],
             'scheduled-visibility-slug, scheduled context (timestamp 20000)' => [
                 $scheduledContext,
diff --git a/typo3/sysext/core/Tests/Functional/Routing/Aspect/PersistedPatternMapperTest.php b/typo3/sysext/core/Tests/Functional/Routing/Aspect/PersistedPatternMapperTest.php
index 564cc97d2054..6945d0590ff3 100644
--- a/typo3/sysext/core/Tests/Functional/Routing/Aspect/PersistedPatternMapperTest.php
+++ b/typo3/sysext/core/Tests/Functional/Routing/Aspect/PersistedPatternMapperTest.php
@@ -266,10 +266,11 @@ class PersistedPatternMapperTest extends FunctionalTestCase
                 ['slug' => 'hidden-visibility-slug-0', 'uid' => '4051'],
                 false,
             ],
+            // fe_group slugs are always considered
             'restricted-visibility-slug, raw context' => [
                 $rawContext,
                 ['slug' => 'restricted-visibility-slug-0', 'uid' => '4052'],
-                false,
+                true,
             ],
             'scheduled-visibility-slug, raw context' => [
                 $rawContext,
@@ -281,10 +282,11 @@ class PersistedPatternMapperTest extends FunctionalTestCase
                 ['slug' => 'hidden-visibility-slug-0', 'uid' => '4051'],
                 true,
             ],
+            // fe_group slugs are always considered
             'restricted-visibility-slug, frontend-groups context (13)' => [
                 $frontendGroupsContext,
                 ['slug' => 'restricted-visibility-slug-0', 'uid' => '4052'],
-                false, // @todo actually `true`, FrontendGroupRestriction does not support Context, yet
+                true,
             ],
             'scheduled-visibility-slug, scheduled context (timestamp 20000)' => [
                 $scheduledContext,
-- 
GitLab