ShowAction analyzes query parameters even if override flag is not set and a singleRecord is set

[christophrunkel]

Bug Report

Current Behavior
I have a page with an embedded ddress plugin with the following flexform configuration:

• displayMode: single
• singleRecords : 19 (single Uid)
• allowOverride: false

if i request the page with query parameters like this:

/?tx_ttaddress_listview[action]=show&tx_ttaddress_listview[address]=25&tx_ttaddress_listview[controller]=Address&cHash=xxxxxx

the address record 25 is displayed, although 19 is selected and override is not set. This can be used to intentionally display a wrong contact person for the page.

Expected behavior/output
If singleRecords are configured and override is not set, only the selected flexform records should be displayed.

Environment

• TYPO3 version(s):11.5.39
• tt_address version: 6.1.0 to 8.1.1
• Non Composer Mode
• PHP 7.4 / 8.2

Possible Solution

Add something like this in the beginning of the showAction in addressController.php

     if (is_numeric($this->settings['singleRecords']?? "") && !$this->settings['allowOverride'])
    {
        $address = $this->addressRepository->findByUid($this->settings['singleRecords']);
    }

Additional context
Add any other context about the problem here

[christophrunkel]

SPAM?!