Bug #104004
open
Incorrect handling of authMode in EditableRestriction in linkvalidator
0%
Description
With the class EditableRestriction restrictions for the current BE user are applied when fetching broken links records.
One of the restrictions is handling authMode. This is currently not correctly handled:
1. authMode is only applied for "type" fields. This is not correct.
2. authMode is not applied for "pages". Pages might have to be handled differently because the SQL request is joined with pages, should be checked
3. If the $this->explicitAllowFields[$table][$type] is empty, no restrictions are applied, but this can also mean that no values are allowed.
Caveats: Only the "type" field is written to tx_linkvalidator_broken_links.element_type
Ideally add some more tests.
Details for 1.¶
This is currently evaluated only if the field containing this setting is a "type" field (as defined by $GLOBALS['TCA'][$table]['ctrl']['type']). I don't think this is correct. While currently in the core, the authMode field is usually a type field (such as CType), this is not a prerequisite: you can also restrict access to any field (as long as it is type="select").
if ($table !== 'pages' && ($GLOBALS['TCA'][$table]['ctrl']['type'] ?? false)) {
$type = $GLOBALS['TCA'][$table]['ctrl']['type'];
$fieldConfig = $GLOBALS['TCA'][$table]['columns'][$type]['config'];
// Check for items
if ($fieldConfig['type'] === 'select'
&& is_array($fieldConfig['items'] ?? false)
&& isset($fieldConfig['authMode'])
) {
$this->explicitAllowFields[$table][$type] = $this->getExplicitAllowTypesForCurrentUser(
$table,
$type
);
}
}
Versions¶
- applies to main, v12, v11
Updated by 
Updated by