Bug #65615: Editors can sort pages in module functions - they can see and sort restricted pages like templates - TYPO3 Core - TYPO3 Forge

Actions

Copy link

Bug #65615

open

Epic #90674: Backend UI not reflecting permissions

Editors can sort pages in module functions - they can see and sort restricted pages like templates

Added by Andrea Herzog-Kienast about 9 years ago. Updated about 4 years ago.

Status:

Accepted

Priority:

Should have

Assignee:

Category:

Backend User Interface

Target version:

Start date:

2015-03-09

Due date:

% Done:

Estimated time:

TYPO3 Version:

PHP Version:

Tags:

Complexity:

Is Regression:

Sprint Focus:

Description

Hi,
IMHO it is not a good idea to let editors see pages, they are not allowed to see. In the pagetree, they are not allowed to see restricted pages like template folders - but in module funktions they can see those data if they chose "Functions -> Sort pages".

Ok, thoses pages and folders are marked with W! - but what does this tell to an editor.
And if he sorts the pages, those pages are affected.
As an admin I do not like to see the editor putting my pages on another position.

As I can't add images inline, example image is attached.

This behaviour is tested in 6.2 and 7.1.

Files

functions-sorting.png (105 KB) functions-sorting.png

Andrea Herzog-Kienast, 2015-03-09 14:14

Actions

Copy link

Updated by Georg Ringer over 5 years ago

Project changed from TYPO3 Core to 1716
Category deleted (~~Backend User Interface~~)

Actions

Copy link

Updated by Oliver Hader over 5 years ago

Affected Version set to v6.2

Actions

Copy link

Updated by Oliver Hader over 5 years ago

TYPO3 Version changed from 7 to 6.2

Actions

Copy link

Updated by Oliver Hader over 5 years ago

Category set to OW-A05: Broken Access Control
Priority changed from Must have to Should have
Target version set to elts

Actions

Copy link

Updated by Oliver Hader over 5 years ago

TYPO3 Version changed from 6.2 to 8
Affected Version changed from v6.2 to v6.2, v7, v8, v9, master

Actions

Copy link

Updated by Oliver Hader over 5 years ago

Reproducible with master (pre 10.0-dev) with the scenario

all pages can be edited
except one (that's the important point)

TYPO3 technically behaves correctly and does not change sorting order of that page - but of all other pages that are allowed to be edited.

Actions

Copy link

Updated by Oliver Hader over 5 years ago

Status changed from New to Accepted

Actions

Copy link

Updated by Oliver Hader over 5 years ago

Target version changed from elts to Release January 2019

Actions

Copy link

Updated by Oliver Hader over 5 years ago

In case one of the candidates to be reordered cannot be changed, the whole sorting action should fail with according error message.

Actions

Copy link

#10

Updated by Oliver Hader over 5 years ago

Actually this is not a security issue... the impact is only on "availability" which might lead to DoS scenarios, but highly depends on how the site is organized and configured in general.

Actions

Copy link

#11