[BUGFIX] Always allow dividers in TCA auth mode check

This brings back the optgroups in the CType and list_type fields
for normal editors.

Additionally some tests for checkAuthMode are added.

Releases: master, 9.5
Resolves: #89707
Change-Id: Ib3e6dbf3598ad767910161225a31ad2db939b3d6
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62654
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Daniel Goerz <daniel.goerz@posteo.de>
Reviewed-by: Daniel Goerz <daniel.goerz@posteo.de>

typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php

@@ -688,6 +688,10 @@ public function checkAuthMode($table, $field, $value, $authMode)
         if ((string)$value === '') {
             return true;
         }
+        // Allow dividers:
+        if ($value === '--div--') {
+            return true;
+        }
         // Certain characters are not allowed in the value
         if (preg_match('/[:|,]/', $value)) {
             return false;

typo3/sysext/core/Tests/Unit/Authentication/BackendUserAuthenticationTest.php

@@ -15,6 +15,7 @@
  * The TYPO3 project - inspiring people to share!
  */
 
+use PHPUnit\Framework\MockObject\MockObject;
 use Prophecy\Argument;
 use Prophecy\Prophecy\ObjectProphecy;
 use Psr\Log\NullLogger;
@@ -774,4 +775,78 @@ public function getPagePermissionsClauseWithValidUser(int $perms, bool $admin, s
 
         $this->assertEquals($expected, $subject->getPagePermsClause($perms));
     }
+
+    /**
+     * @test
+     * @dataProvider checkAuthModeReturnsExpectedValueDataProvider
+     * @param string $theValue
+     * @param string $authMode
+     * @param bool $expectedResult
+     */
+    public function checkAuthModeReturnsExpectedValue(string $theValue, string $authMode, bool $expectedResult)
+    {
+        /** @var BackendUserAuthentication|MockObject $subject */
+        $subject = $this->getMockBuilder(BackendUserAuthentication::class)
+            ->disableOriginalConstructor()
+            ->setMethods(['isAdmin'])
+            ->getMock();
+
+        $subject
+            ->expects(self::any())
+            ->method('isAdmin')
+            ->willReturn(false);
+
+        $subject->groupData['explicit_allowdeny'] =
+            'dummytable:dummyfield:explicitly_allowed_value:ALLOW,'
+            . 'dummytable:dummyfield:explicitly_denied_value:DENY';
+
+        $result = $subject->checkAuthMode('dummytable', 'dummyfield', $theValue, $authMode);
+        self::assertEquals($expectedResult, $result);
+    }
+
+    public function checkAuthModeReturnsExpectedValueDataProvider(): array
+    {
+        return [
+            'explicit allow, not allowed value' => [
+                'non_allowed_field',
+                'explicitAllow',
+                false,
+            ],
+            'explicit allow, allowed value' => [
+                'explicitly_allowed_value',
+                'explicitAllow',
+                true,
+            ],
+            'explicit deny, not denied value' => [
+                'non_denied_field',
+                'explicitDeny',
+                true,
+            ],
+            'explicit deny, denied value' => [
+                'explicitly_denied_value',
+                'explicitDeny',
+                false,
+            ],
+            'invalid value colon' => [
+                'containing:invalid:chars',
+                'does not matter',
+                false,
+            ],
+            'invalid value comma' => [
+                'containing,invalid,chars',
+                'does not matter',
+                false,
+            ],
+            'blank value' => [
+                '',
+                'does not matter',
+                true,
+            ],
+            'divider' => [
+                '--div--',
+                'explicitAllow',
+                true,
+            ],
+        ];
+    }
 }