Bug #35142
openEpic #90674: Backend UI not reflecting permissions
Preview-icon shown even if no access to workspace-module
0%
Description
If a person does not have access to the workspace-module he/she may only preview the output in the backend but not using the preview-view in the frontend (with the compare-slider between Live- and Workspace-version etc.). However that icon is displayed - and if clicked this results in an error (see #34550).
So the icon should be hidden if the person doesn't have sufficient rights to use that functionality.
Updated by Riccardo De Contardi almost 11 years ago
I can confirm this bug in TYPO3 6.1 (tested with the ACL set up on a usergroup)
The error says:
Oops, an error occurred! Access Error: You don't have access to this module.
But I have a question: if a user/usergroup should use only a custom workspace, why he/it should not have access to the Workspace module?
Updated by Michael Stucki over 10 years ago
- Category changed from Bugs to Workspaces
Updated by Michael Stucki over 10 years ago
- Project changed from 624 to TYPO3 Core
- Category changed from Workspaces to Workspaces
Updated by Riccardo De Contardi about 4 years ago
- TYPO3 Version changed from 4.5 to 9
The problem seems somehow still present in TYPO3 9.5.14, I performed the following tests:
Test 1 Configuration¶
1) TYPO3 Installation with a "Draft" Workspace
2) Editors BE Usergroup with:
Mounts and Workspaces Tab > [workspace_perms]
= 0
Access List > [groupMods] > Workspaces [web_WorkspacesWorkspaces]
> denied
Editor BE user with
Mounts and Workspaces Tab > [workspace_perms]
= 1
With this configuration on the backend the editor can see the workspace switcher in the top status bar;
Test procedure¶
- Switch to Draft workspace
- Go to a page that has a different version in Draft workspace and click on preview button
Result:¶
1) the preview with the slider is visible (Visual preview) but in log module I see the error
Core: Exception handler (WEB): Uncaught TYPO3 Exception: #1294586448: Access Error: You don't have access to this module. | RuntimeException thrown in file /TYPO3-dists/typo3_src-9.5.14/typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php in line 496. Requested URL: https://typo3.9.test.it:8890/typo3/index.php?route=%2Fweb%2FWorkspacesWorkspaces%2F&token=--AnonymizedToken--&tx_workspaces_web_workspacesworkspaces%5Baction%5D=singleIndex&id=124
2) if in the preview slider I click on "List view" instead of "Visual preview") the exception is thrown on frontend
(1/1) #1294586448 RuntimeException Access Error: You don't have access to this module.
Test 2 Configuration¶
1) TYPO3 Installation with a "Draft" Workspace
2) Editors BE Usergroup with:
Mounts and Workspaces Tab > [workspace_perms]
= 0
Access List > [groupMods] > Workspaces [web_WorkspacesWorkspaces]@ > denied
Editor BE user with
Mounts and Workspaces Tab > [workspace_perms] = 0
With this configuration the BE editor already starts with the "Draft workspace"
Test procedure¶
- Go to a page that has a different version in Draft workspace and click on preview button (it is still visible)
Result:¶
1) the preview with the slider is visible (Visual preview) but in log module I see the error
Core: Exception handler (WEB): Uncaught TYPO3 Exception: #1294586448: Access Error: You don't have access to this module. | RuntimeException thrown in file /TYPO3-dists/typo3_src-9.5.14/typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php in line 496. Requested URL: https://typo3.9.test.it:8890/typo3/index.php?route=%2Fweb%2FWorkspacesWorkspaces%2F&token=--AnonymizedToken--&tx_workspaces_web_workspacesworkspaces%5Baction%5D=singleIndex&id=124
2) if in the preview slider I click on "List view" instead of "Visual preview") the exception is thrown on frontend
(1/1) #1294586448 RuntimeException Access Error: You don't have access to this module.
Updated by Riccardo De Contardi 5 days ago
I guess it has been solved on version 12.4.14, 13.1.0 (latest main)
I repeated the test I've described on my comment n°7, I'll repeat it here with some additional details:
Prerequisites¶
1) TYPO3 12.4.14 or 13.1.0-dev (latest main)
2) an "Admin" administrator User
3) An initial Home page "Home" (ID=1)
You can use a very minimal TypoScript Setup config, like:
config.no_cache=1 page = PAGE page { 5 = TEXT 5 { data = field : title wrap = <h1>|</h1> } } page.100 =< styles.content.get
4) A "TestGroup" BE Usergroup with
Access Rights Tab > Modules [groupMods]
>
- Web > Page
[web_layout]
> allow - Web > List
[web_list]
> allow - Everything else > denied (including Web > Workspaces
[workspaces_admin]
)
Mounts and Workspaces Tab > Workspace permissions [workspace_perms]
= 0
Mounts and Workspaces Tab > DB Mounts [db_mountpoints]
: Home
5) An Editor (non-admin) BE user "TestUser" with
Mounts and Workspaces Tab > Workspace permissions [workspace_perms]
= 1
6) A "Draft" Workspace with
Tab General: >
Owners [adminusers]
: Admin
Members [members]
: TestGroup
Tab Mountpoints >
DB Mounts [db_mountpoints]
: Home
With this configuration on the backend the editor can see the workspace switcher in the top status bar
7) A subpage "Test Page"
On System > Access give the following Owner | Group | Permission:
Page | Owner | Group | Everybody |
---|---|---|---|
Home | admin (full control) | admin (full control) | only Show page (1) |
Test Page | TestUser (full control) | TestGroup (full control) | deny all |
8) with "Admin" user, switch to "Draft" workspace
9) Edit the "Test Page" page and change something e.g. the title to "Test Page changed on WS", save and exit
Now on the pagetree the page is marked as different from the "live" version (marked with yellow background/dot)
Test 1¶
- Log in with "TestUser"
- switch to "Draft" Workspace
- Page Module > Go to page "Test Page"
- Click on the "View Webpage" button
Results¶
The "split window" preview opens on a new tab, already on the "Preview of Workspace Draft"
if you use the "slider" you should see the title changing
You can obtain the same result using the "View Webpage" button on each line of the "List" view.
Test 2¶
- Log in with "Admin" user
- Change the BE user "TestUser" settings:
Mounts and Workspaces Tab > Workspace permissions[workspace_perms]
= 0, save and exit
With this configuration the BE editor already starts with the "Draft workspace" - Log in with "TestUser" user
- Page Module > Go to page "Test Page"
- Click on the "View Webpage" button
Results¶
The "split window" preview opens on a new tab, already on the "Preview of Workspace Draft"
if you use the "slider" you should see the title changing
You can obtain the same result using the "View Webpage" button on each line of the "List" view.
Note:
I repeated the same tests on TYPO3 11.5.35 and I found an odd bug: the "preview slider" window always shows the "Live" version
- the Pagetree in "Draft" workspace shows the correct changed title
- the bug does not occur with the "admin" user
Conclusion¶
Is the test sufficient? Do you think that a different test is necessary?