Project

General

Profile

Actions

Bug #23241

closed

Frontend Editing edit panels are shown for content element types that cannot be edited

Added by Jeff Segars over 14 years ago. Updated over 13 years ago.

Status:
Closed
Priority:
Should have
Assignee:
Category:
-
Target version:
-
Start date:
2010-07-21
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
4.5
PHP Version:
5.3
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

In frontend editing (both feedit and feeditadvanced), the only check on content editing permissions is whether tt_content can be edited on the current page or not. This means that a particular content element type may be restricted in the user or group record, but still show editing icons in frontend editing. When the record is clicked to edit, an error message is generated.

Calling $GLOBALS['BE_USER']->recordEditAccessInternals() will tell us if the specific record is truly editable.

(issue imported from #M15189)


Files

15189.diff (2.43 KB) 15189.diff Administrator Admin, 2010-07-21 16:07
15189_v2.diff (3.95 KB) 15189_v2.diff Administrator Admin, 2010-11-17 22:15

Related issues 2 (0 open2 closed)

Related to TYPO3 Core - Bug #17203: Access Check for Content Elements before drawing the InterfaceClosed2007-04-12

Actions
Related to TYPO3 Core - Bug #22728: Icon "Create new record in top of column" displayed even with no rightsClosed2010-05-27

Actions
Actions #1

Updated by Chris topher over 14 years ago

Hi Jeff,

if you already made a patch, that's great!
If not, have a look at #0005412, where Steffen made one. Maybe you can then continue with something like that. ;-)

However, this has not yet been posted to Core List...

Actions #2

Updated by Sven Juergens over 14 years ago

hi,
sorry but i found a problem with this patch, now. I testet only with feedit not with feedit_advanced.
If you use the Editpanel only for creating new records, there is a problem with recordEditAccessInternals() in class.t3lib_userauthgroup.php

For example use this setup:
temp.newcontent = EDITPANEL
temp.newcontent {
allow = new
newRecordFromTable = tt_content
}

page = PAGE
page.10 = TEXT
page.10.value = Hello World
page.20 < temp.newcontent

Only as Administrator you can see the editpanel.

Problem Description:
in t3lib_frontendedit the patch introduce this check:
$GLOBALS['BE_USER']->recordEditAccessInternals($table, $dataArray))

table = table to edit
$dataArray = if you want create a new Record, this is the current PageRecord

in recordEditAccessInternals() in t3lib_userauthgroup is one check that produce the error
($idOrRow is the $dataArray, which is a PageRecord)
---
if ($TCA[$table]['ctrl']['languageField']) {
if (isset($idOrRow[$TCA[$table]['ctrl']['languageField']])) {
...
---
$TCA[$table]['ctrl']['languageField'] = is in this example with tt_content 'sys_language_uid'
but in the next line we check the given PageRecord for sys_language_uid as languageField, but a page has no sys_language_uid and so always return a FALSE

Actions #3

Updated by Jeff Segars about 14 years ago

Sven,
Thanks for the testing! You're right about the issue too. The attached v2 works around this problem by only calling recordEditAccessInternals() when we're editing an existing record.

If you're able to vote on this on the core list, that would be great.

Thanks!
Jeff

Actions #4

Updated by Sven Juergens about 14 years ago

Hi Jeff,

thanks for your continuous work on this patch. Give a +1 in core list, would be nice to see this in core :)

Actions #5

Updated by Jeff Segars about 14 years ago

Committed v2 to trunk in r9476

Actions #6

Updated by Susanne Moog over 13 years ago

  • Target version deleted (4.5.0)
Actions

Also available in: Atom PDF