Project

General

Profile

Actions

Bug #105413

open

Linkvalidator BE-Module wrong permissions for invalid links in page attributes

Added by Roman Schilter 4 months ago. Updated about 2 months ago.

Status:
Under Review
Priority:
Should have
Category:
Linkvalidator
Target version:
-
Start date:
2024-10-23
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
12
PHP Version:
8.1
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Steps to Reproduce
1. Create a page and disallow editing that page using the Access-Module
2. Create external-url Page below the previously created page and set an invalid url
3. Run the Linkvalidator Task
4. Login as User without Admin privileges
5. Select the external-url page and open the LinkValidator Backend Module

The invalid Link won't be shown even though the user should have access to the page, because only the parent page is restricted.
Invalid links in Content-Elements are not affected by this issue.

Technical Analysis
The Linkvalidator creates an entry for every invalid link. This entry contains a record_pid. For links within Content-Elements this pid is the page containing the Content-Element. For links in page attributes the pid is the parent page of the page with affected attribute.

When fetching the links for the BE-Module the page-table is joined using the record_pid. (see https://github.com/TYPO3/typo3/blob/main/typo3/sysext/linkvalidator/Classes/Repository/BrokenLinkRepository.php#L105)
This means the EditableRestrictions are be applied to the page referenced in record_pid.


Related issues 1 (1 open0 closed)

Related to TYPO3 Core - Task #105873: Should always store page id in tx_linkvalidator_broken_links not pidNewSybille Peters2025-01-01

Actions
Actions #1

Updated by Sybille Peters about 2 months ago

  • Related to Task #105873: Should always store page id in tx_linkvalidator_broken_links not pid added
Actions #2

Updated by Sybille Peters about 2 months ago

  • Status changed from New to Accepted

Thank you very much for your bug report, steps to reproduce and analysis. I can reproduce this for v14.

The fact that record_pid contains the pid is actually very inconvenient. We really only need the page id. The fact that it is that way makes the every DB query have a separate check for pages and non-pages, see also #105873

I would very much like to change this anyway, but would probably not be able to backport that. So we will try to look into a fix for this bug, regardless.

Actions #3

Updated by Sybille Peters about 2 months ago ยท Edited

There are 2 problems:

1. As mentioned above:

When fetching the links for the BE-Module the page-table is joined using the record_pid. (see https://github.com/TYPO3/typo3/blob/main/typo3/sysext/linkvalidator/Classes/Repository/BrokenLinkRepository.php#L105)

This means the EditableRestrictions are be applied to the page referenced in record_pid.

2. The list of pids will not recurse into pages which the user does not have permission to. The page should just not be added to the list of pids, but it should recurse into it:

see PagesRepository::getAllSubpagesForPage

3. BrokenLinkRepository::getAllBrokenLinksForPages

Actions #4

Updated by Gerrit Code Review about 2 months ago

  • Status changed from Accepted to Under Review

Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/87610

Actions #5

Updated by Sybille Peters about 2 months ago

  • Assignee set to Sybille Peters
Actions #6

Updated by Gerrit Code Review about 2 months ago

Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/87610

Actions #7

Updated by Gerrit Code Review about 2 months ago

Patch set 3 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/87610

Actions #8

Updated by Gerrit Code Review about 2 months ago

Patch set 4 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/87610

Actions

Also available in: Atom PDF