Project

General

Profile

Actions

Bug #14238

closed

User cannot save existing page if page-type is not allowed by backend-group config

Added by Andreas Beutel almost 20 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Backend API
Target version:
-
Start date:
2004-07-14
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
4.2
PHP Version:
5.2
Tags:
Complexity:
Is Regression:
No
Sprint Focus:
On Location Sprint

Description

A user may open and edit an existing page (-header) but may not be able to save the page if he has no access to the current page type. For example if you edit the page-header of an »Advanced« page you may not be able to save the changes without changing the page type to an allowed one, if the group of the users has no access to »Advanced« pages.

(issue imported from #M215)


Files

Cattura.PNG (10.8 KB) Cattura.PNG Riccardo De Contardi, 2013-05-14 16:07
Cattura2.PNG (9.12 KB) Cattura2.PNG Riccardo De Contardi, 2013-05-14 16:07

Related issues 1 (1 open0 closed)

Related to TYPO3 Core - Bug #75890: editor with only read access to page - some interface improvementsNew2016-04-24

Actions
Actions #1

Updated by Andreas Beutel over 19 years ago

Bug persists in TYPO3 version 3.7.0RC1.

Actions #2

Updated by Ingmar Schlecht over 19 years ago

...which means it will not be fixed for 3.7 final because a change to something as security relevant as this needs more testing than just a few days.

Actions #3

Updated by Sebastian Kurfuerst about 19 years ago

Are there any proposals how to deal with that? Maybe there needs to be a possibility to select "Don't change" instead of an allowed pagetype?

Actions #4

Updated by Andreas Beutel about 19 years ago

There are some usability issues related to this:

If a user is not allowed to set the page type to "Advanced", does this imply he/she is also not allowed to edit any advanced page?

If yes, the "Edit page header" option has to be disabled for that page even if the permissions allow to modify the page settings for that user/group.

If no, he/she has two options to edit: He/she must change the page type to an allowed one.
In this case TYPO3 should immediately notify the user that he/she has to change the page type to save.

OR

- and this is what I would prefer - the page type select has to be modified so it recognizes that the inaccessible page type was set before and allow the user to save the page even with that page type. Also a correct warning should be issued near the select: Something like "If you change the page type you will not be able to select "Advanced" again because of insufficient permissions".

Actions #5

Updated by Andreas Beutel about 19 years ago

Bug persists in TYPO3 version 3.8.0beta1.

Actions #6

Updated by Sebastian Kurfuerst about 19 years ago

"- and this is what I would prefer - the page type select has to be modified so it recognizes that the inaccessible page type was set before and allow the user to save the page even with that page type. Also a correct warning should be issued near the select: Something like "If you change the page type you will not be able to select "Advanced" again because of insufficient permissions"."
I like that option most, too. Are there other comments on that?

Actions #7

Updated by Andreas Beutel over 15 years ago

Bug furthermore persists up to TYPO3 version 4.2.x.

Actions #8

Updated by Chris topher about 14 years ago

Thanks for providing updates on this, Andreas!

Can you provide a patch?

Updated by Riccardo De Contardi about 11 years ago

I've done this test in TYPO3 CMS 6.1.0:
I tried to edit a page of type "mount point" for wich my editors' usergroup has no right.

So, I've opened the page --> the attached CATTURA.png

I tried to save the page and the page has been saved, with some warnings: see attached CATTURA2.png

Actions #10

Updated by Mathias Schreiber over 9 years ago

  • Description updated (diff)
  • Target version changed from 0 to 7.4 (Backend)
  • Is Regression set to No
Actions #11

Updated by Susanne Moog almost 9 years ago

  • Target version changed from 7.4 (Backend) to 7.5
Actions #12

Updated by Benni Mack over 8 years ago

  • Target version changed from 7.5 to 7 LTS
Actions #13

Updated by Mathias Schreiber over 8 years ago

  • Target version deleted (7 LTS)

Without a defined expected behavior we need to move this ticket off the 7 LTS board

Actions #14

Updated by Alexander Opitz over 6 years ago

Did this behavior change?
I tried it with 8LTS but I can't open the page editing, if I do not have rights to the page type.

Actions #15

Updated by Alexander Opitz about 6 years ago

  • Status changed from Accepted to Needs Feedback
Actions #16

Updated by Riccardo De Contardi almost 6 years ago

I tried the following test with TYPO3 8.7.16

1) set up a usegroup that has no access to "external link" doktype
2) create a user and assign the usergroup
3) create a page of "external link" doktype
4) in access module, set the TYPO3 admin user as owner of the page and don't set the usergroup of the page

Results

- the pagetree does not show the page
- switching to list view, the page is still visible and the edit button is working. Clicking on it you get the error:

Sorry, you didn't have proper permissions to perform this change.

No page edit permission for user 2 on page 52 1437679336

The error is the same reported here: #75890

You get the same error if you set the usergroup of the page as the usergroup created at point 1) and give it edit privileges in Access module

Actions #17

Updated by Riccardo De Contardi almost 6 years ago

  • Related to Bug #75890: editor with only read access to page - some interface improvements added
Actions #18

Updated by Susanne Moog over 5 years ago

  • Sprint Focus set to On Location Sprint
Actions #19

Updated by Nicolai Schirawski over 5 years ago

Situation in TYPO3 9.5.1-dev is ok:

- created a usergroup "editor-group" without access to page-type 3 (Link to external Url)
- created a user "editor-user" based upon "editor-group"
- created a page of page-type 3
- in access-modul assigned the group of this page to "editor-group"
- switch to editor-user

Result:
- the page shows up in the page-tree
- trying to edit results in notice-message:
"Sorry, you didn't have proper permissions to perform this change.
No page edit permission for user 2 on page 5 1437679336"

this behaviour is ok.

Suggested improvements:
Remove edit buttons in this case, so that the user never encounters the notice-message

Actions #20

Updated by Nicolai Schirawski over 5 years ago

Same behaviour for 8.7.20-dev

Actions #21

Updated by Anja Leichsenring over 5 years ago

  • Status changed from Needs Feedback to Resolved
Actions #22

Updated by Benni Mack about 5 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF