Bug #15114
closed
limited to languages; still can delete content element
0%
Description
If I limit a be_user to a certain language, the user doees not have the possibility to edit, unhide etc. content from unallowed languages. BUT he can still delete the whole content element, even ones wich are in unallowed languages.
(issue imported from #M1678)
Files
Updated by Christian Welzel over 18 years ago
There is also a problem with creation of new content elements.
i have 5 languages on my page and for every language a be-user account for the translator. every translator is restricted to the default language and his own.
But when the user selects "page"->the page->"languages"->default language, he can see all languages and even has the buttons to copy std-content from default language to an language he has no rights for. if he does this, the new content element is not inserted to this (wrong) language, but into the default-language.
this is clearly a bug.
by the way: an backend user should not be able to see the languages, he has no rights for !
Updated by Sebastian Kurfuerst over 18 years ago
Hi,
it would be great if you could supply a T3X file to test this problem. This would make solving it a lot easier. Thanks :-) Sebastian
Updated by Christian Welzel over 18 years ago
I send my .t3d file to Sebastian per private Mail.
Updated by Sebastian Kurfuerst over 18 years ago
Hi,
I dug a bit deeper into the problem.
The main issue is that TCEmain doesn't check if the user has rights for this language when creating new content elements (process_datamap). There, the check for $BE_USER->recordEditAccessInternals(...) or $BE_USER->checkLanguageAccess is missing in the section where new CEs are created.
The other issue (deletes and moves are possible) lies in process_cmdmap. There, no permission checking for limited languages is done whatsoever.
I am not sure how to fully fix these issues in a consistent and clean manner, but I will have a look into it.
Greets, Sebastian
Updated by Andreas Gaufer over 17 years ago
I guess no one is realy working on this right? I'll try to start working on this if noone replys the next few days.
Updated by Andreas Gaufer over 17 years ago
Here are two patches that try to solve this bug
They are tested with 4.0.1 and make the dissallowed edit and delete
produce a exeption as suspected. No extra side effect tests where done.
It may be even nicer to use extra conditional blocks to produce a more
percise error message. But this would add another ident which is bad
IMO.
Updated by Dmitry Pikhno about 17 years ago
still see this problem in typo3 4.1beta3
Updated by Christian Welzel almost 17 years ago
This bug should be set to related to #16572.
Updated by Helmut Hummel almost 17 years ago
Added a single patchfile to use for TYPO3 4.1.1
It contains the changes suggested by Andreas Gaufer
Updated by Basti Baumann almost 17 years ago
Hi,
with the last patch from Helmut editing, deleting and moving is not allowed, but a user can still create new entries in the default language.
Updated by Christian Zehaczek over 16 years ago
Confirmed. The bug still occurs in 4.1.3 and as well 4.2.0alpha1.
An unprivilueged user still can:
- cut & paste
- move around
- delete
- resort (depends on record setup)
Updated by Helmut Hummel over 16 years ago
Hi,
it's not true that adding new entries to the default language is possible (even without applied patch). But adding an entry to "all languages" works and these entries are placed in the default language column.
But it's really strange, that after moving a record which is "all languages" (sys_language_uid=-1), the language field is connverted to default language (sys_language_uid=0) :-/
What is this "all languages" all about anyway?
If you do not want your editors to add something to this "language" you can simply disable the item with user/group TS:
page.TCEFORM.tt_content.sys_language_uid.removeItems = -1,0
Hope this workaround helps others and someone finds the time to have a deeper look at this very important issue...
Updated by Helmut Hummel over 16 years ago
After reading the function checkLanguageAccess in class.t3lib_userauthgroup.php I come to the conclusion, that beeing able to add content elements to sys_language_uid=-1 is intentional, so setting page.TCEFORM. isn't a workaround but a straightforward solution.
Does anyone knows what sys_language_uid=-1 was(or is) used for?
Updated by Christian Zehaczek over 16 years ago
Hi Helmut,
as it says, you are able to add content that is shown up on ALL translations using "-1".
Just tried your latest patch on the 4.1.3, works great and solves all my mentioned issues above. Thank you.
Updated by Benni Mack over 16 years ago
so if the patch works, Helmut, do you want to send it to the core list?
Updated by Helmut Hummel over 16 years ago
I added two new patchfiles (simply cleanup and output specific error messages):
bug_1678_V2_4_1.diff:
for 4_1 branch, since there were significant done changes done in trunk for moving records.
bug_1678_V2_trunk.diff:
patch against current trunk
Updated by Helmut Hummel over 16 years ago
bug_6682_trunk_v2.diff has nothing to do with this bug and was uploaded by accident :-/ It should be deleted by an admin
Updated by Basti Baumann over 16 years ago
Is it possible to publish the whole and edited class.t3lib_tcemain.php? It would be easier for me (cause copy&paste won´t work for me).
Updated by Benni Mack over 16 years ago
Hey Basti, send me both files (before and after), I can create the patch for you this one time: mack (ad) xnos (dat) org