[BUGFIX] "New page" wizard discloses existence of pages outside DB mount
When creating a new page inside the top level of a DB mount which is only a sub tree, the pages up and down from the DB mount root will be displayed in the position selector if the logged-in user has read permissions for these pages. This is unwanted information disclosure as the permissions should not matter for pages which are outside the DB mount. Resolves: #18797 Releases: 6.2, 6.1, 6.0 Change-Id: I98008bc7f4308c9fb32dae645325e7cb1b44e413 Reviewed-on: https://review.typo3.org/22632 Reviewed-by: Markus Klein Reviewed-by: Xavier Perseguers Reviewed-by: Wouter Wolters Tested-by: Markus Klein Reviewed-by: Marcin Sągol Reviewed-by: Stefan Neufeind Tested-by: Stefan Neufeind
Showing
- typo3/sysext/backend/Classes/Tree/View/AbstractTreeView.php 5 additions, 0 deletionstypo3/sysext/backend/Classes/Tree/View/AbstractTreeView.php
- typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php 4 additions, 0 deletions...core/Classes/Authentication/BackendUserAuthentication.php
Please register or sign in to comment