1 <?php

2 namespace ‪TYPO3\CMS\Backend\Security;

3 

4 /*

5  * This file is part of the TYPO3 CMS project.

6  *

7  * It is free software; you can redistribute it and/or modify it under

8  * the terms of the GNU General Public License, either version 2

9  * of the License, or any later version.

10  *

11  * For the full copyright and license information, please read the

12  * LICENSE.txt file that was distributed with this source code.

13  *

14  * The TYPO3 project - inspiring people to share!

15  */

16 

17 use ‪TYPO3\CMS\Backend\Tree\TreeNode;

18 use ‪TYPO3\CMS\Backend\Tree\TreeNodeCollection;

19 use ‪TYPO3\CMS\Core\Authentication\BackendUserAuthentication;

20 use ‪TYPO3\CMS\Core\Database\ConnectionPool;

21 use ‪TYPO3\CMS\Core\Tree\TableConfiguration\DatabaseTreeDataProvider;

22 use ‪TYPO3\CMS\Core\Utility\GeneralUtility;

23 

33 class ‪CategoryPermissionsAspect

34 {

38  protected ‪$categoryTableName = 'sys_category';

39 

43  protected ‪$backendUserAuthentication;

44 

48  public function ‪__construct(‪$backendUserAuthentication = null)

49  {

50  $this->backendUserAuthentication = ‪$backendUserAuthentication ?: ‪$GLOBALS['BE_USER'];

51  }

52 

59  public function ‪addUserPermissionsToCategoryTreeData(‪DatabaseTreeDataProvider $dataProvider, $treeData)

60  {

61  // Only evaluate this in the backend

62  if (!(TYPO3_REQUESTTYPE & TYPO3_REQUESTTYPE_BE)) {

63  return;

64  }

65 

66  if (!$this->backendUserAuthentication->isAdmin() && $dataProvider->‪getTableName() === $this->categoryTableName) {

67 

68  // Get User permissions related to category

69  $categoryMountPoints = $this->backendUserAuthentication->getCategoryMountPoints();

70 

71  // Backup child nodes to be processed.

72  $treeNodeCollection = $treeData->getChildNodes();

73 

74  if (!empty($categoryMountPoints) && !empty($treeNodeCollection)) {

75 

76  // Check the rootline against categoryMountPoints when tree was filtered

77  if ($dataProvider->‪getRootUid() !== null) {

78  if (in_array($dataProvider->‪getRootUid(), $categoryMountPoints)) {

79  return;

80  }

81  $uidsInRootline = $this->‪findUidsInRootline($dataProvider->‪getRootUid());

82  if (!empty(array_intersect($categoryMountPoints, $uidsInRootline))) {

83  // One of the parents was found in categoryMountPoints so all children are secure

84  return;

85  }

86  }

87 

88  // First, remove all child nodes which must be analyzed to be considered as "secure".

89  // The nodes were backed up in variable $treeNodeCollection beforehand.

90  $treeData->removeChildNodes();

91 

92  // Create an empty tree node collection to receive the secured nodes.

94  $securedTreeNodeCollection = \TYPO3\CMS\Core\Utility\GeneralUtility::makeInstance(\‪TYPO3\CMS\Backend\Tree\TreeNodeCollection::class);

95 

96  foreach ($categoryMountPoints as $categoryMountPoint) {

97  $treeNode = $this->‪lookUpCategoryMountPointInTreeNodes((int)$categoryMountPoint, $treeNodeCollection);

98  if ($treeNode !== null) {

99  $securedTreeNodeCollection->append($treeNode);

100  }

101  }

102 

103  // Reset child nodes.

104  $treeData->setChildNodes($securedTreeNodeCollection);

105  }

106  }

107  }

108 

116  protected function ‪lookUpCategoryMountPointInTreeNodes($categoryMountPoint, ‪TreeNodeCollection $treeNodeCollection)

117  {

118  $result = null;

119 

120  // If any User permission, recursively traverse the tree and set tree part as mount point

121  foreach ($treeNodeCollection as $treeNode) {

122 

124  if ((int)$treeNode->getId() === $categoryMountPoint) {

125  $result = $treeNode;

126  break;

127  }

128 

129  if ($treeNode->hasChildNodes()) {

130 

132  $node = $this->‪lookUpCategoryMountPointInTreeNodes($categoryMountPoint, $treeNode->getChildNodes());

133  if ($node !== null) {

134  $result = $node;

135  break;

136  }

137  }

138  }

139  return $result;

140  }

141 

148  protected function ‪findUidsInRootline($uid)

149  {

151  $queryBuilder = GeneralUtility::makeInstance(ConnectionPool::class)->getQueryBuilderForTable($this->categoryTableName);

152  $row = $queryBuilder

153  ->select('parent')

154  ->from($this->categoryTableName)

155  ->where(

156  $queryBuilder->expr()->eq('uid', $queryBuilder->createNamedParameter($uid, \PDO::PARAM_INT))

157  )

158  ->execute()

159  ->fetch();

160 

161  $parentUids = [];

162  if ($row['parent'] > 0) {

163  $parentUids = $this->‪findUidsInRootline($row['parent']);

164  $parentUids[] = $row['parent'];

165  }

166  return $parentUids;

167  }

168 }