Project

General

Profile

Actions

Bug #105413

open

Linkvalidator BE-Module wrong permissions for invalid links in page attributes

Added by Roman Schilter about 2 months ago.

Status:
New
Priority:
Should have
Assignee:
-
Category:
Linkvalidator
Target version:
-
Start date:
2024-10-23
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
12
PHP Version:
8.1
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Steps to Reproduce
1. Create a page and disallow editing that page using the Access-Module
2. Create external-url Page below the previously created page and set an invalid url
3. Run the Linkvalidator Task
4. Login as User without Admin privileges
5. Select the external-url page and open the LinkValidator Backend Module

The invalid Link won't be shown even though the user should have access to the page, because only the parent page is restricted.
Invalid links in Content-Elements are not affected by this issue.

Technical Analysis
The Linkvalidator creates an entry for every invalid link. This entry contains a record_pid. For links within Content-Elements this pid is the page containing the Content-Element. For links in page attributes the pid is the parent page of the page with affected attribute.

When fetching the links for the BE-Module the page-table is joined using the record_pid. (see https://github.com/TYPO3/typo3/blob/main/typo3/sysext/linkvalidator/Classes/Repository/BrokenLinkRepository.php#L105)
This means the EditableRestrictions are be applied to the page referenced in record_pid.

No data to display

Actions

Also available in: Atom PDF