TYPO3 Core

This could also be a privacy problem because user sees pages in page tree which he has no business seeing (which might be access protected).

He can also sees
- which user is currently editing the page (see first screenshot)

I could reproduce it in a way where the user sees all pages in entire installation (even though they are not even in the DB mount in the group).

Is only reproducable

- if the user does not have any DB mounts at all
- OR has a DB mount but no permission for the pages.

This could happen by wrong page permissions or misconfiguration of BE user.

Reproduce¶

1. create user with no DB mount and set "Mount from groups" | "DB mounts" to off, assign this user to a group
2. add a DB mount in the group
3. switch to user
4. switch to page module (or list module)

Result¶

The pages which are available for the group will now be displayed in the pagetree but the user has no access to them. If he clicks on a page, exception is thrown: "You don't have access to this page".

Also: context menu | "Info" is displayed, but this results in error message: "Sorry, you didn't have proper permissions to perform this change."

Expected behaviour¶

- If the user does not have access to the pages, they should not be displayed in the page tree and if he has access to no pages, no pages should be displayed in page tree
- in one case, an exception is thrown, in the other (Context "Info") a modal dialog is displayed with error. I would always expect the error message, not the exception

Setup¶

user1:

• has mostly default permissions, no DB mounts or any modifications of permissions, except:
• has group group1
• "Mounts and Workspaces" | ""Mount from groups" | "DB Mounts" is off

group1

• has DB mount (page id 1)
• has access to all modules: "Access Lists" | "Modules" : all selected
• has (read) access to all tables: "Access Lists" | "Tables (listing)" : all selected

page tree (page id 1):

• "everybody" has all permisions (set in "Access" module)

Versions¶

Reproduced with

• v11 ... latest main

Screenshot¶