Bug #25433

Pagetree drag and drop - should be disabled when user can not edit "pages"

Added by Andreas Kiessling over 10 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Must have
Assignee:
-
Category:
Pagetree
Target version:
-
Start date:
2011-03-29
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
4.5
PHP Version:
Tags:
Complexity:
medium
Is Regression:
No
Sprint Focus:

Description

I have a usergroup that has page types Standard and Shortcut allowed, but only to localize pages. They may list "pages" but not edit them. -> can not create new pages -> toolbar to create pages with drag and drop should not be shown as well as the delete dropzone or even better DD should be deactivated completely.

When i try to create a new page that way (without permission), i get a JS error in IE8:
Zeile: 46
Fehler: 'TYPO3.Flashmessage' ist Null oder kein Objekt

Firefox shows me the Flashmessage: Exception
[1.2.1]: Attempt to modify table '%s' without permission

This is somehow related to #25183, because in both cases DD needs to be deactivated.


Files

Schermata 2018-01-28 alle 18.55.09.png (15.6 KB) Schermata 2018-01-28 alle 18.55.09.png Riccardo De Contardi, 2018-01-28 19:07

Related issues

Related to TYPO3 Core - Feature #25183: Pagetree - option to disable drag'n'drop completly; add also option to disable "refresh"Accepted2011-02-26

Actions
Related to TYPO3 Core - Bug #26901: Icon for new page should be hidden if no access to pagesClosedDaniel Goerz2011-05-19

Actions
Related to TYPO3 Core - Bug #25135: Pagetree - Drag and drop only works for BE-Users with delete-permissionsClosed2011-02-22

Actions
#1

Updated by Susanne Moog over 10 years ago

  • Category changed from Backend User Interface to Pagetree
#2

Updated by Felix Kopp almost 10 years ago

Current user must have the privilege to delete the to be dragged page

#3

Updated by Andreas Kiessling almost 10 years ago

Felix Kopp wrote:

Current user must have the privilege to delete the to be dragged page

Maybe i can restructure the backend groups, but this makes the whole setup more complex.
A check if page records may be edited at all should not be too difficult.

With the default access module, you can only set the permissions for one user/group and all.
Otherwise you need be_acl which used to be quite "expensive". That's why i put all users in a "default" group. The ones with modify rights for pages can create/delete, the others just list. (There are more backend users that also see parts of the pagetree, so "all" is not really an option)

I did a short test in IE9 and i may drag the pages to the delete zone, but no error pops up there.
After dragging in a new page, "Please wait ..." in the tree just waits for some response from the server.

#4

Updated by Philipp Gampe over 8 years ago

  • Status changed from New to Accepted
  • Complexity set to medium

All edit features of the page tree should be deactivated if a user does not have write permissions for the "page" table.

This is a bit harder if you want to do this on page level (access check). Nevertheless, it should be doable.

#5

Updated by Mathias Schreiber almost 7 years ago

  • Target version set to 7.4 (Backend)
  • Is Regression set to No
#6

Updated by Susanne Moog over 6 years ago

  • Target version changed from 7.4 (Backend) to 7.5
#7

Updated by Benni Mack about 6 years ago

  • Target version changed from 7.5 to 8 LTS
#8

Updated by Benni Mack over 4 years ago

  • Target version changed from 8 LTS to 9.0
#9

Updated by Riccardo De Contardi almost 4 years ago

I performed a test with 8.7.9

Prerequisites

- backend user without admin privileges
- backend usergroup for that user
- backend usergroup > edit > ACL > Tables (modify): I removed "pages".

Results

Page Module and List module: the edit icon is still visible but clicking it leads to infinite loading circle. I discovered that this behavior comes out because in the Access Module, the pages still have "edit page" checked on both user and usergroup.

After I also removed "edit pages" from the access module to both user and usergroup:

- the edit icon in page and list module is no more present
- drag and drop from the top of pagetree: still present, but leads to error:

1.2.1 Attempt to modify table 'pages' without permission (see attached file)

- trying to move page with drag and drop:

same error

- trying to delete the page dragging it to the delete area:

same error

#10

Updated by Susanne Moog almost 4 years ago

  • Target version deleted (9.0)
#11

Updated by Gerrit Code Review almost 2 years ago

  • Status changed from Accepted to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/63514

#12

Updated by Gerrit Code Review almost 2 years ago

Patch set 1 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/63463

#13

Updated by Christian Eßl almost 2 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
#14

Updated by Benni Mack over 1 year ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF