[!!!][SECURITY] Prevent possible information disclosure OutputController

Classes/Controller/OutputController.php

@@ -65,12 +65,16 @@ public function listAction(): ResponseInterface
 
     /**
      * @param Mail $mail
-     * @return void
+     * @return ResponseInterface
      * @noinspection PhpUnused
      * @throws Exception
      */
     public function showAction(Mail $mail): ResponseInterface
     {
+        if (!FrontendUtility::isAllowedToView($this->settings, $mail)) {
+            return (new ForwardResponse('list'));
+        }
+
         $fieldArray = $this->getFieldList($this->settings['single']['fields']);
         $this->view->assignMultiple(
             [
@@ -84,12 +88,21 @@ public function showAction(Mail $mail): ResponseInterface
 
     /**
      * @param Mail $mail
-     * @return void
+     * @return ResponseInterface
      * @noinspection PhpUnused
      * @throws Exception
      */
     public function editAction(Mail $mail = null): ResponseInterface
     {
+        if (!FrontendUtility::isAllowedToEdit($this->settings, $mail)) {
+            $this->addFlashmessage(
+                LocalizationUtility::translate('PowermailFrontendEditFailed'),
+                '',
+                AbstractMessage::ERROR
+            );
+            return new ForwardResponse('list');
+        }
+
         $fieldArray = $this->getFieldList($this->settings['edit']['fields']);
         $this->view->assignMultiple(
             [
@@ -118,142 +131,60 @@ public function editAction(Mail $mail = null): ResponseInterface
      */
     public function initializeUpdateAction()
     {
-        $arguments = $this->request->getArguments();
-        if (!FrontendUtility::isAllowedToEdit($this->settings, $arguments['field']['__identity'])) {
-            $this->controllerContext = $this->buildControllerContext();
-            $this->addFlashmessage(
-                LocalizationUtility::translate('PowermailFrontendEditFailed'),
-                '',
-                AbstractMessage::ERROR
-            );
-            return new ForwardResponse('list');
-        }
         $this->reformatParamsForAction();
     }
 
     /**
      * @param Mail $mail
      * @ExtbaseAnnotation\Validate("In2code\Powermail\Domain\Validator\InputValidator", param="mail")
-     * @return void
+     * @return ResponseInterface
      * @throws StopActionException
      * @throws UnsupportedRequestTypeException
      * @throws IllegalObjectTypeException
      * @throws UnknownObjectException
      * @throws \Exception
      * @noinspection PhpUnused
      */
-    public function updateAction(Mail $mail): void
+    public function updateAction(Mail $mail): ResponseInterface
     {
+        if (!FrontendUtility::isAllowedToEdit($this->settings, $mail)) {
+            $this->addFlashmessage(
+                LocalizationUtility::translate('PowermailFrontendEditFailed'),
+                '',
+                AbstractMessage::ERROR
+            );
+            return new ForwardResponse('list');
+        }
+
         $this->uploadService->uploadAllFiles();
         $this->mailRepository->update($mail);
         $this->addFlashmessage(LocalizationUtility::translate('PowermailFrontendEditSuccessful'));
-        $this->redirect('edit', null, null, ['mail' => $mail]);
+        return (new ForwardResponse('edit'))->withArguments(['mail' => $mail]);
     }
 
     /**
-     * @return void
-     * @throws DBALException
-     * @throws Exception
-     * @throws StopActionException
+     * @param Mail $mail
+     * @return ResponseInterface
+     * @throws IllegalObjectTypeException
      * @noinspection PhpUnused
      */
-    public function initializeDeleteAction()
+    public function deleteAction(Mail $mail): ResponseInterface
     {
-        $arguments = $this->request->getArguments();
-        if (!FrontendUtility::isAllowedToEdit($this->settings, $arguments['mail'])) {
-            $this->controllerContext = $this->buildControllerContext();
+        if (!FrontendUtility::isAllowedToEdit($this->settings, $mail)) {
             $this->addFlashmessage(
                 LocalizationUtility::translate('PowermailFrontendDeleteFailed'),
                 '',
                 AbstractMessage::ERROR
             );
             return new ForwardResponse('list');
         }
-    }
 
-    /**
-     * @param Mail $mail
-     * @return void
-     * @throws IllegalObjectTypeException
-     * @noinspection PhpUnused
-     */
-    public function deleteAction(Mail $mail): ResponseInterface
-    {
         $this->assignMultipleActions();
         $this->mailRepository->remove($mail);
         $this->addFlashmessage(LocalizationUtility::translate('PowermailFrontendDeleteSuccessful'));
         return $this->htmlResponse();
     }
 
-    /**
-     * @param array $export Field Array with mails and format
-     * @return void
-     * @throws InvalidQueryException
-     * @throws StopActionException
-     * @throws Exception
-     * @noinspection PhpUnused
-     */
-    public function exportAction(array $export = []): ResponseInterface
-    {
-        if (!$this->settings['list']['export']) {
-            return $this->htmlResponse(null);
-        }
-        $mails = $this->mailRepository->findByUidList($export['fields']);
-
-        // get field array for output
-        if ($this->settings['list']['fields']) {
-            $fieldArray = GeneralUtility::trimExplode(',', $this->settings['list']['fields'], true);
-        } else {
-            $fieldArray = $this->formRepository->getFieldUidsFromForm((int)$this->settings['main']['form']);
-        }
-        $fields = $this->fieldRepository->findByUids($fieldArray);
-
-        if ($export['format'] === 'xls') {
-            return (new ForwardResponse('exportXls'))->withArguments(['mails' => $mails, 'fields' => $fields]);
-        }
-        return (new ForwardResponse('exportCsv'))->withArguments(['mails' => $mails, 'fields' => $fields]);
-        return $this->htmlResponse();
-    }
-
-    /**
-     * @param QueryResult $mails mails objects
-     * @param array $fields uid field list
-     * @return void
-     * @noinspection PhpUnused
-     */
-    public function exportXlsAction(QueryResult $mails = null, array $fields = []): ResponseInterface
-    {
-        $this->view->assign('mails', $mails);
-        $this->view->assign('fields', $fields);
-        return $this->htmlResponse();
-    }
-
-    /**
-     * @param QueryResult $mails mails objects
-     * @param array $fields uid field list
-     * @return void
-     * @noinspection PhpUnused
-     */
-    public function exportCsvAction(QueryResult $mails = null, array $fields = []): ResponseInterface
-    {
-        $this->view->assign('mails', $mails);
-        $this->view->assign('fields', $fields);
-        return $this->htmlResponse();
-    }
-
-    /**
-     * @return void
-     * @throws InvalidQueryException
-     * @noinspection PhpUnused
-     */
-    public function rssAction(): ResponseInterface
-    {
-        $mails = $this->mailRepository->findListBySettings($this->settings, $this->piVars);
-        $this->view->assign('mails', $mails);
-        $this->assignMultipleActions();
-        return $this->htmlResponse();
-    }
-
     /**
      * @return void
      */

Classes/Utility/FrontendUtility.php

@@ -154,6 +154,21 @@ public static function isAllowedToEdit(array $settings, $mail): bool
         return false;
     }
 
+    public static function isAllowedToView(array $settings, Mail $mail): bool
+    {
+        $feUser = ObjectUtility::getTyposcriptFrontendController()->fe_user->user['uid'] ?? 0;
+        if (
+            $feUser === 0 ||
+            (
+                (int)$settings['list']['showownonly'] === 1
+                && $mail->getFeuser()->getUid() !== $feUser
+            )
+        ) {
+            return false;
+        }
+        return true;
+    }
+
     /**
      * Is a frontend user logged in
      *

Documentation/Changelog/Readme.md

@@ -7,7 +7,7 @@ breaking changes and how to handle them
 
 | Version      | Release Date | Description                                                                                                                                                                                                           |
 |--------------|--------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 12.3.1       | 2024-05-08   | Bugfix release                                                                                                                                                                                                        |
+| [!!!] 10.9.0 | 2024-08-21   | Security: Harden access checks to sent mails, remove export views completely without replacement                                                                                                                      |
 | 10.8.2       | 2024-07-03   | Bugfix release: Prevent exception for double opt in confirmation clicks                                                                                                                                               |
 | 10.8.1       | 2023-05-08   | Bugfix release                                                                                                                                                                                                        |
 | 10.8.0       | 2023-03-26   | Compatibility Release for EXT:powermail_cleaner (TYPO3 V11)                                                                                                                                                           |

Documentation/Changelog/UpgradeInstructions.md

@@ -1,5 +1,15 @@
 # Upgrade Instructions and breaking changes
 
+## Version 10.9.0
+
+### Breaking Change
+
+We removed the export and rss functionality completely without any replacement, because there is no
+reliable security concept behind it and is not easy to fix.
+
+If you need this, please contact [in2code](https://www.in2code.de/en/contact/) for paid assistance or implement it yourself.
+
+
 ## Version 10.7.4
 
 If you want to contribute, the URLs for the development instance changed slightly. The TYPO3 version was added