Actions
Bug #90878
closed
Editors with no page delete permissions can't delete content elements
Start date:
2020-03-29
Due date:
% Done:
100%
Estimated time:
TYPO3 Version:
10
PHP Version:
Tags:
Complexity:
Is Regression:
Yes
Sprint Focus:
Description
Create an editor, that:
- can edit any content
- can't delete pages
- The page will reload.
- The content is still there.
Cause of the problem appears to be this cleanup commit:
https://review.typo3.org/c/Packages/TYPO3.CMS/+/62763
This check:
if (!$noRecordCheck && !$this->doesRecordExist($table, $uid,'delete')) {
changed to:
if (!$noRecordCheck && !$this->doesRecordExist($table, $uid, Permission::PAGE_DELETE)) {
The cleanup commit message states, that 'delete' only stands for "delete page". But if you look at the content of the function DataHandler::recordInfoWithPermissionCheck() you can see, that the $perm 'delete' will automatically be converted to 'edit' or 'editcontent', if the tables is not 'pages'. (Yeah, this permissis stuff in here is pretty convoluted and dumb, but we are talking about DataHandler here)
So the changes made in the mentioned line above now always check for the page delete permissions and fail to fall back to the content element edit permissions, as it was previously done.
Updated by 
Updated by 
Updated by
Actions