Bug #23241

Frontend Editing edit panels are shown for content element types that cannot be edited

Added by Jeff Segars about 9 years ago. Updated over 8 years ago.

Status:
Closed
Priority:
Should have
Assignee:
Category:
-
Target version:
-
Start date:
2010-07-21
Due date:
% Done:

0%

TYPO3 Version:
4.5
PHP Version:
5.3
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

In frontend editing (both feedit and feeditadvanced), the only check on content editing permissions is whether tt_content can be edited on the current page or not. This means that a particular content element type may be restricted in the user or group record, but still show editing icons in frontend editing. When the record is clicked to edit, an error message is generated.

Calling $GLOBALS['BE_USER']->recordEditAccessInternals() will tell us if the specific record is truly editable.

(issue imported from #M15189)

15189.diff View (2.43 KB) Administrator Admin, 2010-07-21 16:07

15189_v2.diff View (3.95 KB) Administrator Admin, 2010-11-17 22:15


Related issues

Related to TYPO3 Core - Bug #17203: Access Check for Content Elements before drawing the Interface Closed 2007-04-12
Related to TYPO3 Core - Bug #22728: Icon "Create new record in top of column" displayed even with no rights Closed 2010-05-27

History

#1 Updated by Chris topher about 9 years ago

Hi Jeff,

if you already made a patch, that's great!
If not, have a look at #0005412, where Steffen made one. Maybe you can then continue with something like that. ;-)

However, this has not yet been posted to Core List...

#2 Updated by Sven Juergens about 9 years ago

hi,
sorry but i found a problem with this patch, now. I testet only with feedit not with feedit_advanced.
If you use the Editpanel only for creating new records, there is a problem with recordEditAccessInternals() in class.t3lib_userauthgroup.php

For example use this setup:
temp.newcontent = EDITPANEL
temp.newcontent {
allow = new
newRecordFromTable = tt_content
}

page = PAGE
page.10 = TEXT
page.10.value = Hello World
page.20 < temp.newcontent

Only as Administrator you can see the editpanel.

Problem Description:
in t3lib_frontendedit the patch introduce this check:
$GLOBALS['BE_USER']->recordEditAccessInternals($table, $dataArray))

table = table to edit
$dataArray = if you want create a new Record, this is the current PageRecord

in recordEditAccessInternals() in t3lib_userauthgroup is one check that produce the error
($idOrRow is the $dataArray, which is a PageRecord)
---
if ($TCA[$table]['ctrl']['languageField']) {
if (isset($idOrRow[$TCA[$table]['ctrl']['languageField']])) {
...
---
$TCA[$table]['ctrl']['languageField'] = is in this example with tt_content 'sys_language_uid'
but in the next line we check the given PageRecord for sys_language_uid as languageField, but a page has no sys_language_uid and so always return a FALSE

#3 Updated by Jeff Segars almost 9 years ago

Sven,
Thanks for the testing! You're right about the issue too. The attached v2 works around this problem by only calling recordEditAccessInternals() when we're editing an existing record.

If you're able to vote on this on the core list, that would be great.

Thanks!
Jeff

#4 Updated by Sven Juergens almost 9 years ago

Hi Jeff,

thanks for your continuous work on this patch. Give a +1 in core list, would be nice to see this in core :)

#5 Updated by Jeff Segars almost 9 years ago

Committed v2 to trunk in r9476

#6 Updated by Susanne Moog over 8 years ago

  • Target version deleted (4.5.0)

Also available in: Atom PDF