Project

General

Profile

Actions

Bug #23598

closed

Epic #90674: Backend UI not reflecting permissions

AJAX-menu for content-elements only checks page-record-permissions not content-element-permissions

Added by Stefan Neufeind about 14 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Backend API
Target version:
-
Start date:
2010-09-24
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
6.2
PHP Version:
5.3
Tags:
Complexity:
Is Regression:
No
Sprint Focus:

Description

How to reproduce:
  • Create a user that has right "listing" for a content-element-type, but no type "modify"
    (element can for example be a "tx_templavoila_tmplobj", TO)
  • Change to that user
  • Browse to a page containing such an element using list-view
  • Click on the element-icon to bring up the AJAX-popup
Result:
  • Popup shows "modify" as well, but clicking on that results in an empty page since modify is not allowed
Expected:
  • "Modify" should not appear in the menue in the first place

Background:
typo3/alt_clickmenu.php in printDBClickMenu($table,$uid) receives the table-name and therefor would theoretically be able to see if that element can be modified or not. But it only checks for page-permissions:

$lCP = $BE_USER->calcPerms(t3lib_BEfunc::getRecord('pages',($table=='pages'?$this->rec['uid']:$this->rec['pid'])));
[...]
// Edit:
if(!$root && ($BE_USER->isPSet($lCP,$table,'edit')||$BE_USER->isPSet($lCP,$table,'editcontent'))) {
if (!in_array('edit',$this->disabledItems)) $menuItems['edit']=$this->DB_edit($table,$uid);
$this->editOK=1;
}

How to solve:
see typo3/alt_doc.php for how to check record-permissions. Excerpt from makeEditForm():
$calcPRec = t3lib_BEfunc::getRecord($table,$theUid);
[... some other conditions ...]
// check page first
$CALC_PERMS = $BE_USER->calcPerms(t3lib_BEfunc::getRecord('pages',$calcPRec['pid']));
// then check record permissions
$hasAccess = $BE_USER->recordEditAccessInternals($table, $calcPRec);
(issue imported from #M15793)


Files

Schermata 2018-07-22 alle 12.12.05.png (35.8 KB) Schermata 2018-07-22 alle 12.12.05.png Riccardo De Contardi, 2018-07-22 12:18

Related issues 1 (0 open1 closed)

Related to TYPO3 Core - Bug #83008: Edit Icon shown in list view despite user not having write permission for tableClosed2017-11-15

Actions
Actions

Also available in: Atom PDF