[BUGFIX] Lift restriction for restricted records in Routing Aspects

Since TYPO3 v9.5.16 it is not possible anymore to resolve URLs with an
Aspect that contains records with fe_group restrictions. This is due to
a legacy solution that the Frontend User is actually initialized early enough
but the groups are resolved within $TSFE->determineId() at a later point.

For this reason, Routing does not handle fe_group restrictions, but the
plugin should take care of that for the time being.

Future TYPO3 versions can decide to resolve the fe_group restrictions earlier,
but this would be a breaking change of behaviour of the Frontend
Request Workflow for TYPO3 v10 + v9.

Resolves: #91049
Releases: master, 9.5
Change-Id: I0e57768f5358dc06101acdca374b9c872a65c865
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/64408
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Krystian Szymukowicz <k.szymukowicz@gmail.com>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Benni Mack <benni@typo3.org>

typo3/sysext/core/Classes/Routing/Aspect/PersistedAliasMapper.php

@@ -24,6 +24,7 @@
 use TYPO3\CMS\Core\Context\LanguageAspectFactory;
 use TYPO3\CMS\Core\Database\ConnectionPool;
 use TYPO3\CMS\Core\Database\Query\QueryBuilder;
+use TYPO3\CMS\Core\Database\Query\Restriction\FrontendGroupRestriction;
 use TYPO3\CMS\Core\Database\Query\Restriction\FrontendRestrictionContainer;
 use TYPO3\CMS\Core\Domain\Repository\PageRepository;
 use TYPO3\CMS\Core\Routing\Legacy\PersistedAliasMapperLegacyTrait;
@@ -255,6 +256,9 @@ protected function createQueryBuilder(): QueryBuilder
         $queryBuilder->setRestrictions(
             GeneralUtility::makeInstance(FrontendRestrictionContainer::class, $this->context)
         );
+        // Frontend Groups are not available at this time (initialized via TSFE->determineId)
+        // So this must be excluded to allow access restricted records
+        $queryBuilder->getRestrictions()->removeByType(FrontendGroupRestriction::class);
         return $queryBuilder;
     }
 

typo3/sysext/core/Classes/Routing/Aspect/PersistedPatternMapper.php

@@ -24,6 +24,7 @@
 use TYPO3\CMS\Core\Context\LanguageAspectFactory;
 use TYPO3\CMS\Core\Database\ConnectionPool;
 use TYPO3\CMS\Core\Database\Query\QueryBuilder;
+use TYPO3\CMS\Core\Database\Query\Restriction\FrontendGroupRestriction;
 use TYPO3\CMS\Core\Database\Query\Restriction\FrontendRestrictionContainer;
 use TYPO3\CMS\Core\Domain\Repository\PageRepository;
 use TYPO3\CMS\Core\Routing\Legacy\PersistedPatternMapperLegacyTrait;
@@ -254,6 +255,9 @@ protected function createQueryBuilder(): QueryBuilder
         $queryBuilder->setRestrictions(
             GeneralUtility::makeInstance(FrontendRestrictionContainer::class, $this->context)
         );
+        // Frontend Groups are not available at this time (initialized via TSFE->determineId)
+        // So this must be excluded to allow access restricted records
+        $queryBuilder->getRestrictions()->removeByType(FrontendGroupRestriction::class);
         return $queryBuilder;
     }
 

typo3/sysext/core/Tests/Functional/Routing/Aspect/PersistedAliasMapperTest.php

@@ -262,10 +262,11 @@ public function recordVisibilityDataProvider(): array
                 ['slug' => 'hidden-visibility-slug', 'uid' => '4051'],
                 false,
             ],
+            // fe_group slugs are always considered
             'restricted-visibility-slug, raw context' => [
                 $rawContext,
                 ['slug' => 'restricted-visibility-slug', 'uid' => '4052'],
-                false,
+                true,
             ],
             'scheduled-visibility-slug, raw context' => [
                 $rawContext,
@@ -277,10 +278,11 @@ public function recordVisibilityDataProvider(): array
                 ['slug' => 'hidden-visibility-slug', 'uid' => '4051'],
                 true,
             ],
+            // fe_group slugs are always considered
             'restricted-visibility-slug, frontend-groups context (13)' => [
                 $frontendGroupsContext,
                 ['slug' => 'restricted-visibility-slug', 'uid' => '4052'],
-                false, // @todo actually `true`, FrontendGroupRestriction does not support Context, yet
+                true,
             ],
             'scheduled-visibility-slug, scheduled context (timestamp 20000)' => [
                 $scheduledContext,

typo3/sysext/core/Tests/Functional/Routing/Aspect/PersistedPatternMapperTest.php

@@ -266,10 +266,11 @@ public function recordVisibilityDataProvider(): array
                 ['slug' => 'hidden-visibility-slug-0', 'uid' => '4051'],
                 false,
             ],
+            // fe_group slugs are always considered
             'restricted-visibility-slug, raw context' => [
                 $rawContext,
                 ['slug' => 'restricted-visibility-slug-0', 'uid' => '4052'],
-                false,
+                true,
             ],
             'scheduled-visibility-slug, raw context' => [
                 $rawContext,
@@ -281,10 +282,11 @@ public function recordVisibilityDataProvider(): array
                 ['slug' => 'hidden-visibility-slug-0', 'uid' => '4051'],
                 true,
             ],
+            // fe_group slugs are always considered
             'restricted-visibility-slug, frontend-groups context (13)' => [
                 $frontendGroupsContext,
                 ['slug' => 'restricted-visibility-slug-0', 'uid' => '4052'],
-                false, // @todo actually `true`, FrontendGroupRestriction does not support Context, yet
+                true,
             ],
             'scheduled-visibility-slug, scheduled context (timestamp 20000)' => [
                 $scheduledContext,