Bug #100707
openWeb>List only applies list_type restriction if this column is shown to show "controls"
0%
Description
The ACL explicit_allowdeny
allows to restrict an editor to certain plugin types (field list_type
):
If an admin creates a plugin of a certain list_type which is not allowed by the editor, in Web>List module the editor will still see the "controls" which would allow him to edit this content element:
As soon as the user also shows the column list_type
, the permission check works and he does not see the icons anymore:
The bug most probably came from the optimizations done in Web>List in https://review.typo3.org/c/Packages/TYPO3.CMS/+/68666 - the $row which is passed on to DatabaseRecordList::makeControl and then later to BackendUserAuthentication::recordEditAccessInternals() no longer is the full row, but just a basic version of it + the fields select by the user in the backend. So list_type
is missing, and this auth-check is then no longer performed.
Files