From f238fde4a18260ae6d47fd622c117205c262c8c0 Mon Sep 17 00:00:00 2001
From: Tymoteusz Motylewski <t.motylewski@gmail.com>
Date: Wed, 20 May 2020 22:59:59 +0200
Subject: [PATCH] [TASK] Cover BackendUserAuthentication->returnWebmounts()
 with test

Also fix misleading comment about permissions.

Resolves: #91454
Releases: 9.5, master
Change-Id: I1a399f1be613f007440bf542441bee60f53e49e0
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64557
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Tested-by: Richard Haeser <richard@maxserv.com>
Tested-by: Tymoteusz Motylewski <t.motylewski@gmail.com>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Richard Haeser <richard@maxserv.com>
Reviewed-by: Tymoteusz Motylewski <t.motylewski@gmail.com>
---
 .../BackendUserAuthentication.php             |  5 +--
 .../BackendUserAuthenticationTest.php         | 14 +++++++
 .../Authentication/Fixtures/be_groups.xml     |  2 +-
 .../Authentication/Fixtures/pages.xml         | 42 +++++++++++++++++++
 4 files changed, 59 insertions(+), 4 deletions(-)

diff --git a/typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php b/typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php
index c3bd54be5762..0c869cd8351c 100644
--- a/typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php
+++ b/typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php
@@ -1255,10 +1255,9 @@ class BackendUserAuthentication extends AbstractUserAuthentication
     /**
      * Returns an array with the webmounts.
      * If no webmounts, and empty array is returned.
-     * NOTICE: Deleted pages WILL NOT be filtered out! So if a mounted page has been deleted
-     *         it is STILL coming out as a webmount. This is not checked due to performance.
+     * Webmounts permissions are checked in fetchGroupData()
      *
-     * @return array
+     * @return array of web mounts uids (may include '0')
      */
     public function returnWebmounts()
     {
diff --git a/typo3/sysext/core/Tests/Functional/Authentication/BackendUserAuthenticationTest.php b/typo3/sysext/core/Tests/Functional/Authentication/BackendUserAuthenticationTest.php
index 01d6091768d1..b629b25e694a 100644
--- a/typo3/sysext/core/Tests/Functional/Authentication/BackendUserAuthenticationTest.php
+++ b/typo3/sysext/core/Tests/Functional/Authentication/BackendUserAuthenticationTest.php
@@ -91,4 +91,18 @@ class BackendUserAuthenticationTest extends FunctionalTestCase
         self::assertEquals('13', $result['custom.']['groupProperty']);
         self::assertEquals('installation-wide-configuration', $result['custom.']['generic']);
     }
+
+    /**
+     * @test
+     */
+    public function returnWebmountsFilterOutInaccessiblePages(): void
+    {
+        $result = $this->subject->returnWebmounts();
+
+        self::assertNotContains('3', $result, 'Deleted page is not filtered out');
+        self::assertNotContains('4', $result, 'Page user has no permission to read is not filtered out');
+        self::assertNotContains('5', $result, 'Not existing page is not filtered out');
+        self::assertContains('40', $result, 'Accessible db mount page, child of a not accessible page is not shown');
+        self::assertEquals(['1', '40'], $result);
+    }
 }
diff --git a/typo3/sysext/core/Tests/Functional/Authentication/Fixtures/be_groups.xml b/typo3/sysext/core/Tests/Functional/Authentication/Fixtures/be_groups.xml
index 1e727dc0051a..0f7b40b623ab 100644
--- a/typo3/sysext/core/Tests/Functional/Authentication/Fixtures/be_groups.xml
+++ b/typo3/sysext/core/Tests/Functional/Authentication/Fixtures/be_groups.xml
@@ -6,7 +6,7 @@
         <title>editor group</title>
         <lockToDomain></lockToDomain>
         <workspace_perms>0</workspace_perms>
-        <db_mountpoints>1</db_mountpoints>
+        <db_mountpoints>1,3,4,5,40</db_mountpoints>
         <tstamp>1544454571</tstamp>
         <crdate>1542360853</crdate>
         <deleted>0</deleted>
diff --git a/typo3/sysext/core/Tests/Functional/Authentication/Fixtures/pages.xml b/typo3/sysext/core/Tests/Functional/Authentication/Fixtures/pages.xml
index d8094f179326..2e2694a57065 100644
--- a/typo3/sysext/core/Tests/Functional/Authentication/Fixtures/pages.xml
+++ b/typo3/sysext/core/Tests/Functional/Authentication/Fixtures/pages.xml
@@ -26,4 +26,46 @@
         <perms_everybody>0</perms_everybody>
         <is_siteroot>1</is_siteroot>
     </pages>
+    <pages>
+        <pid>0</pid>
+        <uid>3</uid>
+        <deleted>1</deleted>
+        <sys_language_uid>0</sys_language_uid>
+        <l10n_parent>0</l10n_parent>
+        <title>Deleted page</title>
+        <perms_userid>1</perms_userid>
+        <perms_groupid>1</perms_groupid>
+        <perms_user>31</perms_user>
+        <perms_group>27</perms_group>
+        <perms_everybody>0</perms_everybody>
+        <is_siteroot>1</is_siteroot>
+    </pages>
+    <pages>
+        <pid>0</pid>
+        <uid>4</uid>
+        <deleted>0</deleted>
+        <sys_language_uid>0</sys_language_uid>
+        <l10n_parent>0</l10n_parent>
+        <title>Another page</title>
+        <perms_userid>1</perms_userid>
+        <perms_groupid>2</perms_groupid>
+        <perms_user>31</perms_user>
+        <perms_group>27</perms_group>
+        <perms_everybody>0</perms_everybody>
+        <is_siteroot>1</is_siteroot>
+    </pages>
+    <pages>
+        <pid>4</pid>
+        <uid>40</uid>
+        <deleted>0</deleted>
+        <sys_language_uid>0</sys_language_uid>
+        <l10n_parent>0</l10n_parent>
+        <title>Another page subpage</title>
+        <perms_userid>1</perms_userid>
+        <perms_groupid>1</perms_groupid>
+        <perms_user>31</perms_user>
+        <perms_group>27</perms_group>
+        <perms_everybody>0</perms_everybody>
+        <is_siteroot>0</is_siteroot>
+    </pages>
 </dataset>
-- 
GitLab