Bug #105413
openLinkvalidator BE-Module wrong permissions for invalid links in page attributes
0%
Description
Steps to Reproduce
1. Create a page and disallow editing that page using the Access-Module
2. Create external-url Page below the previously created page and set an invalid url
3. Run the Linkvalidator Task
4. Login as User without Admin privileges
5. Select the external-url page and open the LinkValidator Backend Module
The invalid Link won't be shown even though the user should have access to the page, because only the parent page is restricted.
Invalid links in Content-Elements are not affected by this issue.
Technical Analysis
The Linkvalidator creates an entry for every invalid link. This entry contains a record_pid. For links within Content-Elements this pid is the page containing the Content-Element. For links in page attributes the pid is the parent page of the page with affected attribute.
When fetching the links for the BE-Module the page-table is joined using the record_pid. (see https://github.com/TYPO3/typo3/blob/main/typo3/sysext/linkvalidator/Classes/Repository/BrokenLinkRepository.php#L105)
This means the EditableRestrictions are be applied to the page referenced in record_pid.
Updated by Sybille Peters about 2 months ago
- Related to Task #105873: Should always store page id in tx_linkvalidator_broken_links not pid added
Updated by Sybille Peters about 2 months ago
- Status changed from New to Accepted
Thank you very much for your bug report, steps to reproduce and analysis. I can reproduce this for v14.
The fact that record_pid contains the pid is actually very inconvenient. We really only need the page id. The fact that it is that way makes the every DB query have a separate check for pages and non-pages, see also #105873
I would very much like to change this anyway, but would probably not be able to backport that. So we will try to look into a fix for this bug, regardless.
Updated by Sybille Peters about 2 months ago
ยท Edited
There are 2 problems:
1. As mentioned above:
When fetching the links for the BE-Module the page-table is joined using the record_pid. (see https://github.com/TYPO3/typo3/blob/main/typo3/sysext/linkvalidator/Classes/Repository/BrokenLinkRepository.php#L105)
This means the EditableRestrictions are be applied to the page referenced in record_pid.
2. The list of pids will not recurse into pages which the user does not have permission to. The page should just not be added to the list of pids, but it should recurse into it:
see PagesRepository::getAllSubpagesForPage
3. BrokenLinkRepository::getAllBrokenLinksForPages
Updated by Gerrit Code Review about 2 months ago
- Status changed from Accepted to Under Review
Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/87610
Updated by Gerrit Code Review about 2 months ago
Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/87610
Updated by Gerrit Code Review about 2 months ago
Patch set 3 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/87610
Updated by Gerrit Code Review about 2 months ago
Patch set 4 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/87610