[TYPO3-core] RFC: Feature Request #6882: Enable stdWrap for select.where

[David Bruchmann]

Betreff:    Re: [TYPO3-core] RFC: Feature Request #6882: Enable stdWrap 
for select.where


Hello together,

main problem is that option select as part of stdWrap gives a tool that 
allows everything.

On the one hand I can't understand every point of the discussion because 
templates are restricted to admins anyhow.
On the other hand it's right to have a look on security and to keep 
optional vulnerabilities as small as possible.
The point that templates can be allowed for editors is important but I 
omit it here because I don't want to integrate any whols anyway.

back to my first sentence:
I propose to make stdWrap resrictable by BE-User and BE-Group 
Administration.
I see that it isn't a solution for the quoting-challenge with selects 
but it makes risks more calculable because functionality of stdWrap can 
be cut and reduced to the origin sense of text- and content-manipulation 
by predefined methods.

So the quoting-challeng could perhaps being solved later but after my 
proposed change of rights.

For the case that my proposition seems considerable it could be thought 
about different ranges of rights:
Simple selects may be possible for many (perhaps with restriction to 
non-system-tables), joins and system-tables may be accessible for a 
smaller group.
Furthermore a new element (similar to template-element) could be build 
that allows creating selects by formular like in phpmyadmin or access. 
So it would be much easier to control access for selects: In TS they may 
be referenced but never included directly.
Without a tool like that the secure way would be to disallow selects in 
general, the hard way would be to integrate a parser that compares 
syntax and rights.

Best Regards
David