From b2443a9e49d07a2be0402937c3bc3da848318a2a Mon Sep 17 00:00:00 2001
From: Nicole Cordes <typo3@cordes.co>
Date: Thu, 30 Apr 2015 15:15:05 +0200
Subject: [PATCH] [BUGFIX] Prevent root folder listing for users

If a user hasn't any file mount defined or the defined file mounts
don't exist the root folder of the storage is shown. To prevent
disallowed listing of folders only admin users are allowed see and
browse root folder and editors get an information that no file mounts
are configured.

Releases: master, 6.2
Resolves: #66687
Change-Id: I301d05773f10885351034dae2b0bbd16ac20ac55
Reviewed-on: http://review.typo3.org/39089
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Andreas Fernandez <typo3@scripting-base.de>
Tested-by: Andreas Fernandez <typo3@scripting-base.de>
---
 .../Classes/Tree/View/FolderTreeView.php      | 26 ++++++++++++++++---
 .../Resources/Private/Language/locallang.xlf  |  6 +++++
 2 files changed, 29 insertions(+), 3 deletions(-)

diff --git a/typo3/sysext/backend/Classes/Tree/View/FolderTreeView.php b/typo3/sysext/backend/Classes/Tree/View/FolderTreeView.php
index b4c8d779159a..34e7b4ce8a9e 100644
--- a/typo3/sysext/backend/Classes/Tree/View/FolderTreeView.php
+++ b/typo3/sysext/backend/Classes/Tree/View/FolderTreeView.php
@@ -15,8 +15,10 @@ namespace TYPO3\CMS\Backend\Tree\View;
  */
 
 use TYPO3\CMS\Backend\Utility\IconUtility;
+use TYPO3\CMS\Core\Messaging\FlashMessage;
 use TYPO3\CMS\Core\Resource\FolderInterface;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
+use TYPO3\CMS\Lang\LanguageService;
 
 /**
  * Generate a folder tree,
@@ -57,7 +59,7 @@ class FolderTreeView extends \TYPO3\CMS\Backend\Tree\View\AbstractTreeView {
 	 */
 	public function __construct() {
 		parent::init();
-		$this->storages = $GLOBALS['BE_USER']->getFileStorages();
+		$this->storages = $this->BE_USER->getFileStorages();
 		$this->treeName = 'folder';
 		// Don't apply any title
 		$this->titleAttrib = '';
@@ -249,7 +251,7 @@ class FolderTreeView extends \TYPO3\CMS\Backend\Tree\View\AbstractTreeView {
 					'name' => $fileMountInfo['title']
 				);
 			}
-		} else {
+		} elseif ($this->BE_USER->isAdmin()) {
 			$rootLevelFolders[] = array(
 				'folder' => $storageObject->getRootLevelFolder(),
 				'name' => $storageObject->getName()
@@ -288,7 +290,7 @@ class FolderTreeView extends \TYPO3\CMS\Backend\Tree\View\AbstractTreeView {
 			// Mark a storage which is not online, as offline
 			// maybe someday there will be a special icon for this
 			if ($storageObject->isOnline() === FALSE) {
-				$rootLevelFolderName .= ' (' . $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_mod_file.xlf:sys_file_storage.isOffline') . ')';
+				$rootLevelFolderName .= ' (' . $this->getLanguageService()->sL('LLL:EXT:lang/locallang_mod_file.xlf:sys_file_storage.isOffline') . ')';
 			}
 			// Preparing rootRec for the mount
 			$firstHtml .= $this->wrapIcon(IconUtility::getSpriteIconForResource($rootLevelFolder, array('mount-root' => TRUE)), $rootLevelFolder);
@@ -408,6 +410,17 @@ class FolderTreeView extends \TYPO3\CMS\Backend\Tree\View\AbstractTreeView {
 		if (!is_array($treeItems)) {
 			$treeItems = $this->tree;
 		}
+
+		if (empty($treeItems)) {
+			$message = GeneralUtility::makeInstance(
+				FlashMessage::class,
+				$this->getLanguageService()->sL('LLL:EXT:backend/Resources/Private/Language/locallang.xlf:foldertreeview.noFolders.message'),
+				$this->getLanguageService()->sL('LLL:EXT:backend/Resources/Private/Language/locallang.xlf:foldertreeview.noFolders.title'),
+				FlashMessage::INFO
+			);
+			return $message->render();
+		}
+
 		$out = '
 			<!-- TYPO3 folder tree structure. -->
 			<ul class="tree" id="treeRoot">
@@ -634,4 +647,11 @@ class FolderTreeView extends \TYPO3\CMS\Backend\Tree\View\AbstractTreeView {
 		return $this->ajaxStatus;
 	}
 
+	/**
+	 * @return LanguageService
+	 */
+	protected function getLanguageService() {
+		return $GLOBALS['LANG'];
+	}
+
 }
diff --git a/typo3/sysext/backend/Resources/Private/Language/locallang.xlf b/typo3/sysext/backend/Resources/Private/Language/locallang.xlf
index 1f4a136d8f68..45fc7e31c7aa 100644
--- a/typo3/sysext/backend/Resources/Private/Language/locallang.xlf
+++ b/typo3/sysext/backend/Resources/Private/Language/locallang.xlf
@@ -28,6 +28,12 @@ Have a nice day.</source>
 			<trans-unit id="config.loginBackgroundImage">
 				<source>Background Image: If set, this image will be used as background image for the login screen for screen sizes greater than 767 pixel (e.g. fileadmin/images/my-background.jpg or EXT:my_theme/Resources/Public/Images/my-background.jpg or //domain.tld/my-background.png)</source>
 			</trans-unit>
+			<trans-unit id="foldertreeview.noFolders.title">
+				<source>No folders available</source>
+			</trans-unit>
+			<trans-unit id="foldertreeview.noFolders.message">
+				<source>You do not have access to any folder. Please ask your administrator to fix access permissions for your account.</source>
+			</trans-unit>
 		</body>
 	</file>
 </xliff>
-- 
GitLab