Bug #23598

AJAX-menu for content-elements only checks page-record-permissions not content-element-permissions

Added by Stefan Neufeind over 8 years ago. Updated 8 months ago.

Status:
Accepted
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2010-09-24
Due date:
% Done:

0%

TYPO3 Version:
6.2
PHP Version:
5.3
Tags:
Complexity:
Is Regression:
No
Sprint Focus:

Description

How to reproduce:
  • Create a user that has right "listing" for a content-element-type, but no type "modify"
    (element can for example be a "tx_templavoila_tmplobj", TO)
  • Change to that user
  • Browse to a page containing such an element using list-view
  • Click on the element-icon to bring up the AJAX-popup
Result:
  • Popup shows "modify" as well, but clicking on that results in an empty page since modify is not allowed
Expected:
  • "Modify" should not appear in the menue in the first place

Background:
typo3/alt_clickmenu.php in printDBClickMenu($table,$uid) receives the table-name and therefor would theoretically be able to see if that element can be modified or not. But it only checks for page-permissions:

$lCP = $BE_USER->calcPerms(t3lib_BEfunc::getRecord('pages',($table=='pages'?$this->rec['uid']:$this->rec['pid'])));
[...]
// Edit:
if(!$root && ($BE_USER->isPSet($lCP,$table,'edit')||$BE_USER->isPSet($lCP,$table,'editcontent'))) {
if (!in_array('edit',$this->disabledItems)) $menuItems['edit']=$this->DB_edit($table,$uid);
$this->editOK=1;
}

How to solve:
see typo3/alt_doc.php for how to check record-permissions. Excerpt from makeEditForm():
$calcPRec = t3lib_BEfunc::getRecord($table,$theUid);
[... some other conditions ...]
// check page first
$CALC_PERMS = $BE_USER->calcPerms(t3lib_BEfunc::getRecord('pages',$calcPRec['pid']));
// then check record permissions
$hasAccess = $BE_USER->recordEditAccessInternals($table, $calcPRec);
(issue imported from #M15793)

Schermata 2018-07-22 alle 12.12.05.png View (35.8 KB) Riccardo De Contardi, 2018-07-22 12:18


Related issues

Related to TYPO3 Core - Bug #83008: Edit Icon shown in list view despite user not having write permission for table Accepted 2017-11-15

History

#1 Updated by Alexander Opitz over 5 years ago

  • Status changed from New to Needs Feedback
  • Target version deleted (0)
  • Is Regression set to No

Hi,

as this issue is very old. Does the problem still exists within newer versions of TYPO3 CMS (4.5 or 6.1)?
IMHO this is a bug for 4.5 but was fixed for 6.1.

#2 Updated by Alexander Opitz about 5 years ago

  • Status changed from Needs Feedback to Closed

No feedback within the last 90 days => closing this ticket.

If you think that this is the wrong decision or experience this issue again, then please write to the mailing list typo3.teams.bugs with issue number and an explanation or open a new ticket and add a relation to this ticket number.

#3 Updated by Stefan Neufeind about 5 years ago

  • Status changed from Closed to Accepted
  • TYPO3 Version changed from 4.4 to 4.5

Still an issue in 6.2-rc1.

#4 Updated by Riccardo De Contardi almost 4 years ago

  • TYPO3 Version changed from 4.5 to 6.2

Still an issue in 6.2.12

#5 Updated by Riccardo De Contardi over 2 years ago

The problem seems still present on 7.6.12; Moreover, also the "new" menu item and the "+" (New Record) button work, and lead to a blank page.

#6 Updated by Riccardo De Contardi 8 months ago

I performed a test with 9.4-dev (latest master) under the following conditions:

1) Create a usergroup "editors", give full ACL except for the "internal notes" table, here give just "listing" but not "modify"
2) Create a user "editor", give "editors" group
3) Create a page, owner: editor (full control)
4) Add to the page a "internal notes" record
5) switch to "editor" user

Results: (See attached screenshot):

1) The internal note record is visible
2) The Ajax context menu does not contain "edit" or "new" as far as I can see
3) But...

- The button "add new record" (1) is still functional and leads to an empty page with infinite loading circle
- The button "edit record" (2) is still is still functional and leads to an empty page with infinite loading circle
- The button "delete record" (3) is still functional but leads to the error message "1: Attempt to modify table 'sys_note' without permission" (as an alert dismissable message)
- You can still copy and paste the record (4), but if you paste it, you get the error message "1: Attempt to modify table 'sys_note' without permission" (in this case on the top of the page)

#7 Updated by Riccardo De Contardi 8 months ago

  • Related to Bug #83008: Edit Icon shown in list view despite user not having write permission for table added

#8 Updated by Riccardo De Contardi 8 months ago

The errors reported were also described here #83008

Also available in: Atom PDF