From fb2740a2b68ac658cb484ae3fe938b1b32af9af2 Mon Sep 17 00:00:00 2001
From: Tymoteusz Motylewski <t.motylewski@gmail.com>
Date: Wed, 15 Apr 2020 00:03:58 +0200
Subject: [PATCH] [TASK] Tune permission checks in TreeController

Do not calculate permissions for every page, as we're limiting the pages
through SQL query constraints.

Fetch sys_language_uid and l10n_parent from db as they are required for
isInWebMount to prevent it from fetching row from db again.

Pass full row to isInWebMount in calcPerms instead of just uid.
isInWebMount has logic to handle translated records.

Resolves: #91037
Related: #90105
Releases: 9.5, master
Change-Id: I56dbaf3daa15aa8b6f0fc5e09b212aa34203a0b5
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64175
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
Tested-by: Tymoteusz Motylewski <t.motylewski@gmail.com>
Reviewed-by: Benni Mack <benni@typo3.org>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Tymoteusz Motylewski <t.motylewski@gmail.com>
---
 .../backend/Classes/Controller/Page/TreeController.php       | 5 +----
 .../backend/Classes/Tree/Repository/PageTreeRepository.php   | 2 ++
 .../Classes/Authentication/BackendUserAuthentication.php     | 3 +--
 3 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/typo3/sysext/backend/Classes/Controller/Page/TreeController.php b/typo3/sysext/backend/Classes/Controller/Page/TreeController.php
index a5573b859a03..75b41b874d7a 100644
--- a/typo3/sysext/backend/Classes/Controller/Page/TreeController.php
+++ b/typo3/sysext/backend/Classes/Controller/Page/TreeController.php
@@ -416,10 +416,7 @@ class TreeController
                 }
             }
 
-            $entryPoint = $repository->getTree($entryPoint, function ($page) use ($backendUser) {
-                // Check each page if the user has permission to access it
-                return $backendUser->doesUserHaveAccess($page, Permission::PAGE_SHOW);
-            });
+            $entryPoint = $repository->getTree($entryPoint);
             if (!is_array($entryPoint)) {
                 unset($entryPoints[$k]);
             }
diff --git a/typo3/sysext/backend/Classes/Tree/Repository/PageTreeRepository.php b/typo3/sysext/backend/Classes/Tree/Repository/PageTreeRepository.php
index 10031b0c2dca..36c1db53937e 100644
--- a/typo3/sysext/backend/Classes/Tree/Repository/PageTreeRepository.php
+++ b/typo3/sysext/backend/Classes/Tree/Repository/PageTreeRepository.php
@@ -72,6 +72,8 @@ class PageTreeRepository
         'shortcut_mode',
         'mount_pid_ol',
         'url',
+        'sys_language_uid',
+        'l10n_parent',
     ];
 
     /**
diff --git a/typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php b/typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php
index 58f4d47c9480..87e728845d3d 100644
--- a/typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php
+++ b/typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php
@@ -598,8 +598,7 @@ class BackendUserAuthentication extends AbstractUserAuthentication
             return Permission::ALL;
         }
         // Return 0 if page is not within the allowed web mount
-        // Always do this for the default language page record
-        if (!$this->isInWebMount($row[$GLOBALS['TCA']['pages']['ctrl']['transOrigPointerField']] ?: $row)) {
+        if (!$this->isInWebMount($row)) {
             return Permission::NOTHING;
         }
         $out = Permission::NOTHING;
-- 
GitLab