[TYPO3-core] RFC #13741: cache_treelist does not take FE users into account
Dmitry Dulepov
dmitry.dulepov at gmail.com
Thu Apr 15 16:51:20 CEST 2010
Hi!
This is SVN patch request.
Type: bug, major
Branches: 4.2, 4.3, trunk
BT reference: http://bugs.typo3.org/view.php?id=13741
Problem: cache_treelist table caches the tree of pages for the current
user. User group list of the current is not taken into account. This causes
wrong cached tree for the user. If the first user was anonymous, logged in
users will not see pages visible to them. The opposite is not true because
core checks access details elsewhere. This bug affects menu generation: if
anonymous user was the first to visit pages, logged–in users will not see
pages accessible to them in the menu.
Solution: add user's group list to the md5 hash of the tree list.
--
Dmitry Dulepov
TYPO3 expert / TYPO3 security team member
Read more @ http://dmitry-dulepov.com/
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 13741.diff
URL: <http://lists.typo3.org/pipermail/typo3-team-core/attachments/20100415/d1d4d07f/attachment.txt>
More information about the TYPO3-team-core
mailing list