Bug #14238
closed
User cannot save existing page if page-type is not allowed by backend-group config
0%
Description
A user may open and edit an existing page (-header) but may not be able to save the page if he has no access to the current page type. For example if you edit the page-header of an »Advanced« page you may not be able to save the changes without changing the page type to an allowed one, if the group of the users has no access to »Advanced« pages.
(issue imported from #M215)
Files
Updated by Andreas Beutel about 20 years ago
Bug persists in TYPO3 version 3.7.0RC1.
Updated by Ingmar Schlecht about 20 years ago
...which means it will not be fixed for 3.7 final because a change to something as security relevant as this needs more testing than just a few days.
Updated by Sebastian Kurfuerst over 19 years ago
Are there any proposals how to deal with that? Maybe there needs to be a possibility to select "Don't change" instead of an allowed pagetype?
Updated by Andreas Beutel over 19 years ago
There are some usability issues related to this:
If a user is not allowed to set the page type to "Advanced", does this imply he/she is also not allowed to edit any advanced page?
If yes, the "Edit page header" option has to be disabled for that page even if the permissions allow to modify the page settings for that user/group.
If no, he/she has two options to edit: He/she must change the page type to an allowed one.
In this case TYPO3 should immediately notify the user that he/she has to change the page type to save.
OR
- and this is what I would prefer - the page type select has to be modified so it recognizes that the inaccessible page type was set before and allow the user to save the page even with that page type. Also a correct warning should be issued near the select: Something like "If you change the page type you will not be able to select "Advanced" again because of insufficient permissions".
Updated by Andreas Beutel over 19 years ago
Bug persists in TYPO3 version 3.8.0beta1.
Updated by Sebastian Kurfuerst over 19 years ago
"- and this is what I would prefer - the page type select has to be modified so it recognizes that the inaccessible page type was set before and allow the user to save the page even with that page type. Also a correct warning should be issued near the select: Something like "If you change the page type you will not be able to select "Advanced" again because of insufficient permissions"."
I like that option most, too. Are there other comments on that?
Updated by Andreas Beutel about 16 years ago
Bug furthermore persists up to TYPO3 version 4.2.x.
Updated by Chris topher over 14 years ago
Thanks for providing updates on this, Andreas!
Can you provide a patch?
Updated by Riccardo De Contardi over 11 years ago
- File Cattura.PNG Cattura.PNG added
- File Cattura2.PNG Cattura2.PNG added
I've done this test in TYPO3 CMS 6.1.0:
I tried to edit a page of type "mount point" for wich my editors' usergroup has no right.
So, I've opened the page --> the attached CATTURA.png
I tried to save the page and the page has been saved, with some warnings: see attached CATTURA2.png
Updated by Mathias Schreiber almost 10 years ago
- Description updated (diff)
- Target version changed from 0 to 7.4 (Backend)
- Is Regression set to No
Updated by Susanne Moog over 9 years ago
- Target version changed from 7.4 (Backend) to 7.5
Updated by Benni Mack about 9 years ago
- Target version changed from 7.5 to 7 LTS
Updated by Mathias Schreiber about 9 years ago
- Target version deleted (
7 LTS)
Without a defined expected behavior we need to move this ticket off the 7 LTS board
Updated by Alexander Opitz over 6 years ago
Did this behavior change?
I tried it with 8LTS but I can't open the page editing, if I do not have rights to the page type.
Updated by Alexander Opitz over 6 years ago
- Status changed from Accepted to Needs Feedback
Updated by Riccardo De Contardi over 6 years ago
I tried the following test with TYPO3 8.7.16
1) set up a usegroup that has no access to "external link" doktype
2) create a user and assign the usergroup
3) create a page of "external link" doktype
4) in access module, set the TYPO3 admin user as owner of the page and don't set the usergroup of the page
Results¶
- the pagetree does not show the page
- switching to list view, the page is still visible and the edit button is working. Clicking on it you get the error:
Sorry, you didn't have proper permissions to perform this change. No page edit permission for user 2 on page 52 1437679336
The error is the same reported here: #75890
You get the same error if you set the usergroup of the page as the usergroup created at point 1) and give it edit privileges in Access module
Updated by Riccardo De Contardi over 6 years ago
- Related to Bug #75890: editor with only read access to page - some interface improvements added
Updated by Susanne Moog about 6 years ago
- Sprint Focus set to On Location Sprint
Updated by Nicolai Schirawski about 6 years ago
Situation in TYPO3 9.5.1-dev is ok:
- created a usergroup "editor-group" without access to page-type 3 (Link to external Url)
- created a user "editor-user" based upon "editor-group"
- created a page of page-type 3
- in access-modul assigned the group of this page to "editor-group"
- switch to editor-user
Result:
- the page shows up in the page-tree
- trying to edit results in notice-message:
"Sorry, you didn't have proper permissions to perform this change.
No page edit permission for user 2 on page 5 1437679336"
this behaviour is ok.
Suggested improvements:
Remove edit buttons in this case, so that the user never encounters the notice-message
Updated by Anja Leichsenring about 6 years ago
- Status changed from Needs Feedback to Resolved