Security ViewHelper: Subgroups of Backend User Group

[SventB]

In the security ViewHelper (v:security.allow or v:security.deny) the subgroups of backend user groups aren't considered. E.g. when using this ViewHelper in Fluid...

<v:security.allow backendUserGroups="5">

...the ViewHelper should not only check if the current backend user has group with uid 5 assigned, but also, if one of his assigned backend groups has the group with uid 5 as subgroup (or one of the subgroups has this group assigned).

There is a core function to get the BE groups and subgroups of a current user:

\TYPO3\CMS\Backend\Utility\BackendUtility::getListGroupNames()

[SventB]

This should do it (tested in TYPO3 v8):

- $currentBackendUser = $this->getCurrentBackendUser();
- $currentUserGroups = trim($currentBackendUser['usergroup'], ',');
- $userGroups = false === empty($currentUserGroups) ? explode(',', $currentUserGroups) : [];
+ $userGroups = array_keys(\TYPO3\CMS\Backend\Utility\BackendUtility::getListGroupNames());

[neufeind]

That one was deprecated in v9: https://docs.typo3.org/c/typo3/cms-core/9.5/en-us/Changelog/9.0/Deprecation-81534-BackendUtilitygetListGroupNamesDeprecated.html Use getGroupNames() instead now.

But looking at the code imho that also doesn't take subgroups into account?

[SventB]

No, don't use getGroupNames() because it returns all existing BE usergroups. This is the fix for TYPO3 v10:

- $currentUserGroups = trim($currentBackendUser['usergroup'], ',');
+ $currentUserGroups = trim($currentBackendUser['usergroup_cached_list'], ',');