Merge commit '3a70924777294c7fb40e9f6eb3f7627bac58dfd1' into TYPO3_9

Security fix release
webian · Oct 15, 2019 · 98046ee · 98046ee
1 parent 60b4513
commit 98046ee
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 3 deletions.
diff --git a/Classes/DirectMailUtility.php b/Classes/DirectMailUtility.php
@@ -922,6 +922,10 @@ public static function getRecordList(array $listArr, $table, $pageId, $editLinkF
         // init iconFactory
         $iconFactory = GeneralUtility::makeInstance(IconFactory::class);
 
+        $isAllowedDisplayTable = $GLOBALS['BE_USER']->check('tables_select', $table);
+        $isAllowedEditTable = $GLOBALS['BE_USER']->check('tables_modify', $table);
+        $notAllowedPlaceholder = $GLOBALS['LANG']->getLL('mailgroup_table_disallowed_placeholder');
+
         if (is_array($listArr)) {
             $count = count($listArr);
             $returnUrl = GeneralUtility::getIndpEnv('REQUEST_URI');
@@ -930,7 +934,7 @@ public static function getRecordList(array $listArr, $table, $pageId, $editLinkF
                 $editLink = '';
                 if ($row['uid']) {
                     $tableIcon = sprintf('<td>%s</td>', $iconFactory->getIconForRecord($table, []));
-                    if ($editLinkFlag) {
+                    if ($editLinkFlag && $isAllowedEditTable) {
                         $urlParameters = [
                             'edit' => [
                                 $table => [
@@ -950,12 +954,24 @@ public static function getRecordList(array $listArr, $table, $pageId, $editLinkF
                     }
                 }
 
+                if ($isAllowedDisplayTable) {
+                    $exampleData = [
+                        'email' => '<td nowrap> ' . htmlspecialchars($row['email']) . ' </td>',
+                        'name' => '<td nowrap> ' . htmlspecialchars($row['name']) . ' </td>'
+                    ];
+                } else {
+                    $exampleData = [
+                        'email' => '<td nowrap>' . $notAllowedPlaceholder . '</td>',
+                        'name' => ''
+                    ];
+                }
+
                 $lines[] = sprintf(
                     '<tr class="db_list_normal">%s%s<td class="nowrap">%s</td><td class="nowrap">%s</td></tr>',
                     $tableIcon,
                     $editLink,
-                    htmlspecialchars($row['email']),
-                    htmlspecialchars($row['name'])
+                    $exampleData['email'],
+                    $exampleData['name']
                 );
             }
         }

diff --git a/Resources/Private/Language/locallang_mod2-6.xlf b/Resources/Private/Language/locallang_mod2-6.xlf
@@ -589,6 +589,9 @@
 			<trans-unit id="mailgroup_table_fe_users">
 				<source>Website User Table</source>
 			</trans-unit>
+			<trans-unit id="mailgroup_table_disallowed_placeholder">
+				<source>Missing permission to display data</source>
+			</trans-unit>
 			<trans-unit id="nl_cat">
 				<source>Assign categories to content elements</source>
 			</trans-unit>