TYPO3 Core

also in 4.2.2

Would be nice to fix - or don't offer to recover deleted content to editors...

I have a fix but don't know if it has any other effects...:

in class.t3lib_userauthgroup.php function recordEditAccessInternals(), add a "false" as fifth parameter to the getRecord function call - to prevent hiding the deleted records.
Only admins do not use this check... so all other editors have the same problem.

I don't know if this releases other problems... so please help testing...

[code]
function recordEditAccessInternals($table,$idOrRow,$newRecord=FALSE) {
global $TCA;

if (isset($TCA[$table]))        {
                        t3lib_div::loadTCA($table);

// Always return true for Admin users.
                        if ($this->isAdmin())   return TRUE;

// Fetching the record if the $idOrRow variable was not an array on input:
                        if (!is_array($idOrRow))        {
//                              $idOrRow = t3lib_BEfunc::getRecord($table, $idOrRow);
                                $idOrRow = t3lib_BEfunc::getRecord($table, $idOrRow, '*', '', false);
                                if (!is_array($idOrRow))        {
                                        $this->errorMsg = 'ERROR: Record could not be fetched.';
                                        return FALSE;
                                }
                        }
[/code]

/Christian

I have more infos:

in class.t3lib_tcemain.php where the function "recordEditAccessInternals" is called - there seems to be some small "unclarity" ...

line 3966 (in 4.2.2):

function undeleteRecord($table,$uid)    {
                $this->deleteRecord($table,$uid,TRUE,FALSE,TRUE);
        }

ok, and the following:

/**
 * Deleting/Undeleting a record
 * This function may not be used to delete pages-records unless the underlying records are already deleted
 * Deletes a record regardless of versioning state (live or offline, doesn't matter, the uid decides)
 * If both $noRecordCheck and $forceHardDelete are set it could even delete a "deleted"-flagged record!
 *
 * @param       string          Table name
 * @param       integer         Record UID
 * @param       boolean         Flag: If $noRecordCheck is set, then the function does not check permission to delete record
 * @param       boolean         If TRUE, the "deleted" flag is ignored if applicable for record and the record is deleted COMPLETELY!
 * @param       boolean         If TRUE, the "deleted" flag is set to 0 again and thus, the item is undeleted.
 * @return      void
         */
        function deleteRecord($table,$uid, $noRecordCheck=FALSE, $forceHardDelete=FALSE,$undeleteRecord=FALSE)  {
                global $TCA;

// Checking if there is anything else disallowing deleting the record by checking if editing is allowed
                $mayEditAccess = $this->BE_USER->recordEditAccessInternals($table,$uid);
...

so for undelete, the Flag "noRecordCheck" is set (true) but ignored for the first check "$mayEditAccess=...".
Best solution in my eyes: new parameter for "recordEditAccessInternals" if deleted records should be included in check or not.
Otherwise: in my 2nd comment (24922) the solution always checks also for deleted records - or if we ignore the check because of "$noRecordCheck" then everyone can undelete elements even if he's not allowed to edit the record.

I'd like to see some feedback because I don't know about the typo3 internal ways...

Would be fine to fix this - maybe today?

/Christian

btw:

the 2 lines in class.t3lib_tcemain.php (function deleteRecord) do not appear in 4.0.9 - so, they were introduced in 4.1.x somewehre:

// Checking if there is anything disallowing edit
                $mayEditAccess = $this->BE_USER->recordEditAccessInternals($table,$uid);

Therefore the error may appear only in Typo3 4.1.x and 4.2.x -nobody out there who can give a comment what would be best?

/Christian

Also appears in 4.2.3

further information: bug was introduced with the bugfixing of bug #15114 (http://bugs.typo3.org/view.php?id=1678).

/Ch

I made a patch, could others please test. Thanx

The bug also appears in 4.2.6.

Thanks for the patch Christian!
Patching didn't work for me, so I've included your suggestions manually.

The updated files
class.t3lib_tcemain.php
class.t3lib_userauthgroup.php
are enclosed in the zip file
t3lib_CHANGED_FILES.zip

Greetz uwe

More infos...
this bug was introduced apparently in v 4.1.4 (dec. 2007) and since then normal editors cannot undelete records (I wonder why so few people noticed this)...
It seems that also in 4.3.0alpha3 this bug still exist.

News:
Also with the new extension "recycler" it's not possible for a normal editor (without admin-rights) to undelete deleted content elements.
This is in the protocol:
"Attempt to delete record without delete-permissions. [ERROR: Record could not be fetched.]"

It would be really nice to get this fix into Typo3 4.3 before released

attached 3 new patches for trunk, 4-2 and 4-1

FYI committed to:
trunk rev 5960
TYPO3_4-2 rev 5961
TYPO3_4-1 rev 5962