Bug #100707
open
Web>List only applies list_type restriction if this column is shown to show "controls"
0%
Description
The ACL explicit_allowdeny allows to restrict an editor to certain plugin types (field list_type):
If an admin creates a plugin of a certain list_type which is not allowed by the editor, in Web>List module the editor will still see the "controls" which would allow him to edit this content element:
As soon as the user also shows the column list_type, the permission check works and he does not see the icons anymore:
The bug most probably came from the optimizations done in Web>List in https://review.typo3.org/c/Packages/TYPO3.CMS/+/68666 - the $row which is passed on to DatabaseRecordList::makeControl and then later to BackendUserAuthentication::recordEditAccessInternals() no longer is the full row, but just a basic version of it + the fields select by the user in the backend. So list_type is missing, and this auth-check is then no longer performed.
Files
Updated by Ernesto Baschny about 1 year ago
- Related to Task #93847: Split up RecordList table rendering added
Updated by Ernesto Baschny about 1 year ago
Btw, clicking on one of the shown icons when the ACL check fails does not work, and brings the user to the exception:
Sorry, you didn't have proper permissions to perform this change. ERROR: authMode "explicitAllow" failed for field "list_type" with value "dhbwevents_events" evaluated
So the problem is just "cosmetical", but also UX-related, and has no security implications (AFAIK).