From b3ecbc9b277c84a60da7e885369c9a710c9adefb Mon Sep 17 00:00:00 2001
From: Benni Mack <benni@typo3.org>
Date: Sat, 5 Sep 2020 08:05:30 +0200
Subject: [PATCH] [BUGFIX] Avoid using BackendWorkspaceRestriction
When using BackendWorkspaceRestriction the DB query
fetches newly created records of ALL workspaces, not just the currently
given workspace.
For this reason it is highly discouraged to use this
restriction but use the main WorkspaceRestriction instead.
This change adapts all remaining places which especially
is relevant when having multiple NEW PLACEHOLDERs in various
workspaces to only work on the current workspace.
Resolves: #92209
Releases: master, 10.4
Change-Id: Ie8b2321270b4804fa59cef1fa712cd820242ee40
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/65582
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: TYPO3com <noreply@typo3.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Benni Mack <benni@typo3.org>
---
.../TranslationConfigurationProvider.php | 4 ++--
.../Controller/EditDocumentController.php | 10 +++++-----
.../backend/Classes/Utility/BackendUtility.php | 6 +++---
.../core/Classes/DataHandling/DataHandler.php | 16 +++++-----------
.../Localization/DataMapProcessor.php | 6 +++---
.../TypoScript/ExtendedTemplateService.php | 4 ++--
6 files changed, 20 insertions(+), 26 deletions(-)
diff --git a/typo3/sysext/backend/Classes/Configuration/TranslationConfigurationProvider.php b/typo3/sysext/backend/Classes/Configuration/TranslationConfigurationProvider.php
index 79e239b54556..9a50cb9c5e44 100644
--- a/typo3/sysext/backend/Classes/Configuration/TranslationConfigurationProvider.php
+++ b/typo3/sysext/backend/Classes/Configuration/TranslationConfigurationProvider.php
@@ -18,8 +18,8 @@ namespace TYPO3\CMS\Backend\Configuration;
use TYPO3\CMS\Backend\Utility\BackendUtility;
use TYPO3\CMS\Core\Authentication\BackendUserAuthentication;
use TYPO3\CMS\Core\Database\ConnectionPool;
-use TYPO3\CMS\Core\Database\Query\Restriction\BackendWorkspaceRestriction;
use TYPO3\CMS\Core\Database\Query\Restriction\DeletedRestriction;
+use TYPO3\CMS\Core\Database\Query\Restriction\WorkspaceRestriction;
use TYPO3\CMS\Core\Exception\SiteNotFoundException;
use TYPO3\CMS\Core\Site\Entity\NullSite;
use TYPO3\CMS\Core\Site\Entity\SiteInterface;
@@ -133,7 +133,7 @@ class TranslationConfigurationProvider
$queryBuilder->getRestrictions()
->removeAll()
->add(GeneralUtility::makeInstance(DeletedRestriction::class))
- ->add(GeneralUtility::makeInstance(BackendWorkspaceRestriction::class));
+ ->add(GeneralUtility::makeInstance(WorkspaceRestriction::class, $this->getBackendUserAuthentication()->workspace));
$queryBuilder
->select(...GeneralUtility::trimExplode(',', $selFieldList))
->from($table)
diff --git a/typo3/sysext/backend/Classes/Controller/EditDocumentController.php b/typo3/sysext/backend/Classes/Controller/EditDocumentController.php
index 3375238c44f6..6873165d3772 100644
--- a/typo3/sysext/backend/Classes/Controller/EditDocumentController.php
+++ b/typo3/sysext/backend/Classes/Controller/EditDocumentController.php
@@ -35,8 +35,8 @@ use TYPO3\CMS\Backend\Template\ModuleTemplate;
use TYPO3\CMS\Backend\Utility\BackendUtility;
use TYPO3\CMS\Core\Database\ConnectionPool;
use TYPO3\CMS\Core\Database\Query\QueryBuilder;
-use TYPO3\CMS\Core\Database\Query\Restriction\BackendWorkspaceRestriction;
use TYPO3\CMS\Core\Database\Query\Restriction\DeletedRestriction;
+use TYPO3\CMS\Core\Database\Query\Restriction\WorkspaceRestriction;
use TYPO3\CMS\Core\Database\ReferenceIndex;
use TYPO3\CMS\Core\DataHandling\DataHandler;
use TYPO3\CMS\Core\Domain\Repository\PageRepository;
@@ -1901,7 +1901,7 @@ class EditDocumentController
$queryBuilder->getRestrictions()
->removeAll()
->add(GeneralUtility::makeInstance(DeletedRestriction::class))
- ->add(GeneralUtility::makeInstance(BackendWorkspaceRestriction::class));
+ ->add(GeneralUtility::makeInstance(WorkspaceRestriction::class, $this->getBackendUser()->workspace));
return $queryBuilder
->count('uid')
@@ -2065,7 +2065,7 @@ class EditDocumentController
$queryBuilder->getRestrictions()
->removeAll()
->add(GeneralUtility::makeInstance(DeletedRestriction::class))
- ->add(GeneralUtility::makeInstance(BackendWorkspaceRestriction::class));
+ ->add(GeneralUtility::makeInstance(WorkspaceRestriction::class, $this->getBackendUser()->workspace));
$result = $queryBuilder->select(...GeneralUtility::trimExplode(',', $fetchFields, true))
->from($table)
@@ -2171,7 +2171,7 @@ class EditDocumentController
$queryBuilder->getRestrictions()
->removeAll()
->add(GeneralUtility::makeInstance(DeletedRestriction::class))
- ->add(GeneralUtility::makeInstance(BackendWorkspaceRestriction::class));
+ ->add(GeneralUtility::makeInstance(WorkspaceRestriction::class, $this->getBackendUser()->workspace));
$localizedRecord = $queryBuilder->select('uid')
->from($table)
->where(
@@ -2243,7 +2243,7 @@ class EditDocumentController
$queryBuilder = GeneralUtility::makeInstance(ConnectionPool::class)->getQueryBuilderForTable('pages');
$queryBuilder->getRestrictions()->removeAll()
->add(GeneralUtility::makeInstance(DeletedRestriction::class))
- ->add(GeneralUtility::makeInstance(BackendWorkspaceRestriction::class));
+ ->add(GeneralUtility::makeInstance(WorkspaceRestriction::class, $this->getBackendUser()->workspace));
$statement = $queryBuilder->select('uid', $GLOBALS['TCA']['pages']['ctrl']['languageField'])
->from('pages')
->where(
diff --git a/typo3/sysext/backend/Classes/Utility/BackendUtility.php b/typo3/sysext/backend/Classes/Utility/BackendUtility.php
index 324c3262c420..0ad8b06b9df6 100644
--- a/typo3/sysext/backend/Classes/Utility/BackendUtility.php
+++ b/typo3/sysext/backend/Classes/Utility/BackendUtility.php
@@ -31,9 +31,9 @@ use TYPO3\CMS\Core\Database\Connection;
use TYPO3\CMS\Core\Database\ConnectionPool;
use TYPO3\CMS\Core\Database\Query\QueryBuilder;
use TYPO3\CMS\Core\Database\Query\QueryHelper;
-use TYPO3\CMS\Core\Database\Query\Restriction\BackendWorkspaceRestriction;
use TYPO3\CMS\Core\Database\Query\Restriction\DeletedRestriction;
use TYPO3\CMS\Core\Database\Query\Restriction\HiddenRestriction;
+use TYPO3\CMS\Core\Database\Query\Restriction\WorkspaceRestriction;
use TYPO3\CMS\Core\Database\RelationHandler;
use TYPO3\CMS\Core\Domain\Repository\PageRepository;
use TYPO3\CMS\Core\Exception\SiteNotFoundException;
@@ -290,7 +290,7 @@ class BackendUtility
$queryBuilder->getRestrictions()
->removeAll()
->add(GeneralUtility::makeInstance(DeletedRestriction::class))
- ->add(GeneralUtility::makeInstance(BackendWorkspaceRestriction::class));
+ ->add(GeneralUtility::makeInstance(WorkspaceRestriction::class, static::getBackendUserAuthentication()->workspace));
$queryBuilder->select('*')
->from($table)
@@ -1742,7 +1742,7 @@ class BackendUtility
$queryBuilder->getRestrictions()
->removeAll()
->add(GeneralUtility::makeInstance(DeletedRestriction::class))
- ->add(GeneralUtility::makeInstance(BackendWorkspaceRestriction::class));
+ ->add(GeneralUtility::makeInstance(WorkspaceRestriction::class, static::getBackendUserAuthentication()->workspace));
$constraints = [
$queryBuilder->expr()->eq(
$theColConf['foreign_field'],
diff --git a/typo3/sysext/core/Classes/DataHandling/DataHandler.php b/typo3/sysext/core/Classes/DataHandling/DataHandler.php
index 90be1d8848dc..769f5a2e7be9 100644
--- a/typo3/sysext/core/Classes/DataHandling/DataHandler.php
+++ b/typo3/sysext/core/Classes/DataHandling/DataHandler.php
@@ -38,7 +38,6 @@ use TYPO3\CMS\Core\Crypto\PasswordHashing\PasswordHashFactory;
use TYPO3\CMS\Core\Database\Connection;
use TYPO3\CMS\Core\Database\ConnectionPool;
use TYPO3\CMS\Core\Database\Query\QueryHelper;
-use TYPO3\CMS\Core\Database\Query\Restriction\BackendWorkspaceRestriction;
use TYPO3\CMS\Core\Database\Query\Restriction\DeletedRestriction;
use TYPO3\CMS\Core\Database\Query\Restriction\QueryRestrictionContainerInterface;
use TYPO3\CMS\Core\Database\Query\Restriction\WorkspaceRestriction;
@@ -4289,24 +4288,19 @@ class DataHandler implements LoggerAwareInterface
$queryBuilder->getRestrictions()
->removeAll()
->add(GeneralUtility::makeInstance(DeletedRestriction::class))
- ->add(GeneralUtility::makeInstance(BackendWorkspaceRestriction::class));
+ ->add(GeneralUtility::makeInstance(WorkspaceRestriction::class, $this->BE_USER->workspace));
- $queryBuilder->select('*')
+ $l10nRecords = $queryBuilder->select('*')
->from($table)
->where(
$queryBuilder->expr()->eq(
$GLOBALS['TCA'][$table]['ctrl']['transOrigPointerField'],
$queryBuilder->createNamedParameter($uid, \PDO::PARAM_INT, ':pointer')
)
- );
-
- if (BackendUtility::isTableWorkspaceEnabled($table)) {
- $queryBuilder->andWhere(
- $queryBuilder->expr()->eq('t3ver_oid', $queryBuilder->createNamedParameter(0, \PDO::PARAM_INT))
- );
- }
+ )
+ ->execute()
+ ->fetchAll();
- $l10nRecords = $queryBuilder->execute()->fetchAll();
if (is_array($l10nRecords)) {
$localizedDestPids = [];
// If $$originalRecordDestinationPid < 0, then it is the uid of the original language record we are inserting after
diff --git a/typo3/sysext/core/Classes/DataHandling/Localization/DataMapProcessor.php b/typo3/sysext/core/Classes/DataHandling/Localization/DataMapProcessor.php
index e640499d9ae0..4981d1a7e1a5 100644
--- a/typo3/sysext/core/Classes/DataHandling/Localization/DataMapProcessor.php
+++ b/typo3/sysext/core/Classes/DataHandling/Localization/DataMapProcessor.php
@@ -19,8 +19,8 @@ use TYPO3\CMS\Backend\Utility\BackendUtility;
use TYPO3\CMS\Core\Authentication\BackendUserAuthentication;
use TYPO3\CMS\Core\Database\Connection;
use TYPO3\CMS\Core\Database\ConnectionPool;
-use TYPO3\CMS\Core\Database\Query\Restriction\BackendWorkspaceRestriction;
use TYPO3\CMS\Core\Database\Query\Restriction\DeletedRestriction;
+use TYPO3\CMS\Core\Database\Query\Restriction\WorkspaceRestriction;
use TYPO3\CMS\Core\Database\RelationHandler;
use TYPO3\CMS\Core\DataHandling\DataHandler;
use TYPO3\CMS\Core\DataHandling\ReferenceIndexUpdater;
@@ -881,7 +881,7 @@ class DataMapProcessor
$queryBuilder->getRestrictions()
->removeAll()
->add(GeneralUtility::makeInstance(DeletedRestriction::class))
- ->add(GeneralUtility::makeInstance(BackendWorkspaceRestriction::class, $this->backendUser->workspace, false));
+ ->add(GeneralUtility::makeInstance(WorkspaceRestriction::class, $this->backendUser->workspace));
$statement = $queryBuilder
->select(...array_values($fieldNames))
->from($tableName)
@@ -1090,7 +1090,7 @@ class DataMapProcessor
$queryBuilder->getRestrictions()
->removeAll()
->add(GeneralUtility::makeInstance(DeletedRestriction::class))
- ->add(GeneralUtility::makeInstance(BackendWorkspaceRestriction::class, $this->backendUser->workspace, false));
+ ->add(GeneralUtility::makeInstance(WorkspaceRestriction::class, $this->backendUser->workspace));
$zeroParameter = $queryBuilder->createNamedParameter(0, \PDO::PARAM_INT);
$ids = $this->filterNumericIds($ids);
diff --git a/typo3/sysext/core/Classes/TypoScript/ExtendedTemplateService.php b/typo3/sysext/core/Classes/TypoScript/ExtendedTemplateService.php
index e9d8edb176fc..2ae4df23189c 100644
--- a/typo3/sysext/core/Classes/TypoScript/ExtendedTemplateService.php
+++ b/typo3/sysext/core/Classes/TypoScript/ExtendedTemplateService.php
@@ -20,8 +20,8 @@ use TYPO3\CMS\Backend\Utility\BackendUtility;
use TYPO3\CMS\Core\Context\Context;
use TYPO3\CMS\Core\Database\ConnectionPool;
use TYPO3\CMS\Core\Database\Query\QueryBuilder;
-use TYPO3\CMS\Core\Database\Query\Restriction\BackendWorkspaceRestriction;
use TYPO3\CMS\Core\Database\Query\Restriction\DeletedRestriction;
+use TYPO3\CMS\Core\Database\Query\Restriction\WorkspaceRestriction;
use TYPO3\CMS\Core\Exception;
use TYPO3\CMS\Core\Imaging\Icon;
use TYPO3\CMS\Core\Imaging\IconFactory;
@@ -839,7 +839,7 @@ class ExtendedTemplateService extends TemplateService
$queryBuilder->getRestrictions()
->removeAll()
->add(GeneralUtility::makeInstance(DeletedRestriction::class))
- ->add(GeneralUtility::makeInstance(BackendWorkspaceRestriction::class));
+ ->add(GeneralUtility::makeInstance(WorkspaceRestriction::class, $GLOBALS['BE_USER']->workspace));
$queryBuilder->select('*')
->from('sys_template')
--
GitLab