Bug #23598
closed
Epic #90674: Backend UI not reflecting permissions
AJAX-menu for content-elements only checks page-record-permissions not content-element-permissions
100%
Description
- Create a user that has right "listing" for a content-element-type, but no type "modify"
(element can for example be a "tx_templavoila_tmplobj", TO) - Change to that user
- Browse to a page containing such an element using list-view
- Click on the element-icon to bring up the AJAX-popup
- Popup shows "modify" as well, but clicking on that results in an empty page since modify is not allowed
- "Modify" should not appear in the menue in the first place
Background:
typo3/alt_clickmenu.php in printDBClickMenu($table,$uid) receives the table-name and therefor would theoretically be able to see if that element can be modified or not. But it only checks for page-permissions:
$lCP = $BE_USER->calcPerms(t3lib_BEfunc::getRecord('pages',($table=='pages'?$this->rec['uid']:$this->rec['pid'])));
[...]
// Edit:
if(!$root && ($BE_USER->isPSet($lCP,$table,'edit')||$BE_USER->isPSet($lCP,$table,'editcontent'))) {
if (!in_array('edit',$this->disabledItems)) $menuItems['edit']=$this->DB_edit($table,$uid);
$this->editOK=1;
}
How to solve:
see typo3/alt_doc.php for how to check record-permissions. Excerpt from makeEditForm():
$calcPRec = t3lib_BEfunc::getRecord($table,$theUid);
[... some other conditions ...]
// check page first
$CALC_PERMS = $BE_USER->calcPerms(t3lib_BEfunc::getRecord('pages',$calcPRec['pid']));
// then check record permissions
$hasAccess = $BE_USER->recordEditAccessInternals($table, $calcPRec);
(issue imported from #M15793)
Files
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 