Bug #23598
closed
Epic #90674: Backend UI not reflecting permissions
AJAX-menu for content-elements only checks page-record-permissions not content-element-permissions
100%
Description
- Create a user that has right "listing" for a content-element-type, but no type "modify"
(element can for example be a "tx_templavoila_tmplobj", TO) - Change to that user
- Browse to a page containing such an element using list-view
- Click on the element-icon to bring up the AJAX-popup
- Popup shows "modify" as well, but clicking on that results in an empty page since modify is not allowed
- "Modify" should not appear in the menue in the first place
Background:
typo3/alt_clickmenu.php in printDBClickMenu($table,$uid) receives the table-name and therefor would theoretically be able to see if that element can be modified or not. But it only checks for page-permissions:
$lCP = $BE_USER->calcPerms(t3lib_BEfunc::getRecord('pages',($table=='pages'?$this->rec['uid']:$this->rec['pid'])));
[...]
// Edit:
if(!$root && ($BE_USER->isPSet($lCP,$table,'edit')||$BE_USER->isPSet($lCP,$table,'editcontent'))) {
if (!in_array('edit',$this->disabledItems)) $menuItems['edit']=$this->DB_edit($table,$uid);
$this->editOK=1;
}
How to solve:
see typo3/alt_doc.php for how to check record-permissions. Excerpt from makeEditForm():
$calcPRec = t3lib_BEfunc::getRecord($table,$theUid);
[... some other conditions ...]
// check page first
$CALC_PERMS = $BE_USER->calcPerms(t3lib_BEfunc::getRecord('pages',$calcPRec['pid']));
// then check record permissions
$hasAccess = $BE_USER->recordEditAccessInternals($table, $calcPRec);
(issue imported from #M15793)
Files
Updated by Alexander Opitz about 11 years ago
- Status changed from New to Needs Feedback
- Target version deleted (
0) - Is Regression set to No
Hi,
as this issue is very old. Does the problem still exists within newer versions of TYPO3 CMS (4.5 or 6.1)?
IMHO this is a bug for 4.5 but was fixed for 6.1.
Updated by Alexander Opitz over 10 years ago
- Status changed from Needs Feedback to Closed
No feedback within the last 90 days => closing this ticket.
If you think that this is the wrong decision or experience this issue again, then please write to the mailing list typo3.teams.bugs with issue number and an explanation or open a new ticket and add a relation to this ticket number.
Updated by Stefan Neufeind over 10 years ago
- Status changed from Closed to Accepted
- TYPO3 Version changed from 4.4 to 4.5
Still an issue in 6.2-rc1.
Updated by Riccardo De Contardi over 9 years ago
- TYPO3 Version changed from 4.5 to 6.2
Still an issue in 6.2.12
Updated by Riccardo De Contardi about 8 years ago
The problem seems still present on 7.6.12; Moreover, also the "new" menu item and the "+" (New Record) button work, and lead to a blank page.
Updated by Riccardo De Contardi over 6 years ago
I performed a test with 9.4-dev (latest master) under the following conditions:
1) Create a usergroup "editors", give full ACL except for the "internal notes" table, here give just "listing" but not "modify"
2) Create a user "editor", give "editors" group
3) Create a page, owner: editor (full control)
4) Add to the page a "internal notes" record
5) switch to "editor" user
Results: (See attached screenshot):¶
1) The internal note record is visible
2) The Ajax context menu does not contain "edit" or "new" as far as I can see
3) But...
- The button "add new record" (1) is still functional and leads to an empty page with infinite loading circle
- The button "edit record" (2) is still is still functional and leads to an empty page with infinite loading circle
- The button "delete record" (3) is still functional but leads to the error message "1: Attempt to modify table 'sys_note' without permission" (as an alert dismissable message)
- You can still copy and paste the record (4), but if you paste it, you get the error message "1: Attempt to modify table 'sys_note' without permission" (in this case on the top of the page)
Updated by Riccardo De Contardi over 6 years ago
- Related to Bug #83008: Edit Icon shown in list view despite user not having write permission for table added
Updated by Riccardo De Contardi over 6 years ago
The errors reported were also described here #83008
Updated by Gerrit Code Review over 4 years ago
- Status changed from Accepted to Under Review
Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/63696
Updated by Gerrit Code Review over 4 years ago
Patch set 5 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/63696
Updated by Gerrit Code Review over 4 years ago
Patch set 6 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/63696
Updated by Gerrit Code Review over 4 years ago
Patch set 1 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/63750
Updated by Gerrit Code Review over 4 years ago
Patch set 2 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/63750
Updated by Christian Eßl over 4 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 72bcf63cf11e1e9490980e11eaae8bc58aeb636a.
Updated by 