Project

General

Profile

Actions

Feature #37673

closed

Deny access to certain pagetypes via TSConfig

Added by Juan Manuel over 12 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
Could have
Assignee:
-
Category:
Pagetree
Target version:
-
Start date:
2012-06-01
Due date:
% Done:

0%

Estimated time:
PHP Version:
5.3
Tags:
Complexity:
easy
Sprint Focus:

Description

Hi, I would like that class.t3lib_tree_pagetree_dataprovider.php could have Typoscript configuration for getWhereClause adding to the end some like
$where .= ' '. $GLOBALS['BE_USER']->getTSConfigVal('options.myOwnWhereClause'); //AND doktype!=200
or
$where .= ' '. $GLOBALS['TYPO3_CONF_VARS']['BE']['pageTree']['myOwnWhereClause'] //AND doktype!=200

Regards


Files

patch_custom_doktype (236 Bytes) patch_custom_doktype Juan Manuel, 2012-07-24 14:24

Related issues 1 (0 open1 closed)

Related to TYPO3 Core - Bug #49279: Exclude doktypes from pagetree by user TSconfigClosed2013-06-20

Actions
Actions #1

Updated by Jigal van Hemert over 12 years ago

  • Status changed from New to Needs Feedback
  • Target version deleted (4.5.17)
  • Estimated time deleted (2.00 h)

A small note: features can only go in the version which is currently under development (6.0).

What is the use case for this feature? Why would you add an extra condition to the query?

Just adding an extra clause this way could easily lead to security issues. If this is a useful feature it must be implemented in a secure way.

Actions #2

Updated by Stefan Galinski over 12 years ago

Hi Jigal,

he asked me about this feature and told me that he wants to introduce additional page types that should not be displayed in the pagetree. IMHO such a feature could be a generally easy way to hide pages based on additional filters. Where do you see security problems (it would be an admin option)?

Actions #3

Updated by Juan Manuel over 12 years ago

I could be happy if you release this code in the next 4.5.18 version

t3lib/tree/pagetree/class.t3lib_tree_pagetree_dataprovider.php

Thank you

Actions #5

Updated by Jigal van Hemert over 12 years ago

  • Status changed from Needs Feedback to Accepted
  • Target version set to 6.0.0-alpha3

Security problems always come later. When there is an access problem and the options someone has access to are too powerful there are serious problems.

I suggest options.pageTree.hideDoktypes as a comma separated list of doktypes. This we can filter for integers and add as an IN condition.

About backporting: it is not a real problem to add this to older branches, but each of the RM should agree...

Actions #6

Updated by Juan Manuel over 12 years ago

Jigal van Hemert wrote:

Security problems always come later. When there is an access problem and the options someone has access to are too powerful there are serious problems.

I suggest options.pageTree.hideDoktypes as a comma separated list of doktypes. This we can filter for integers and add as an IN condition.

About backporting: it is not a real problem to add this to older branches, but each of the RM should agree...

You are right, patch_custom_doktype file is done with IN but without filter. Take a look when you can ;)

Actions #7

Updated by Ernesto Baschny over 12 years ago

  • TYPO3 Version changed from 4.5 to 6.0

While it sounds like useful, we won't have this in 4.5.x at all. As with all minor releases of TYPO3, we won't be adding new features (new options, configuration) in patchlevel releases. See this explanation of our release policy:

http://typo3.org/teams/core-development-team/resources/release-workflow/

So your new feature must enter the currently being developed 6.0 (or later).

Actions #8

Updated by Helmut Hummel almost 12 years ago

  • Target version changed from 6.0.0-alpha3 to 6.0.1
Actions #9

Updated by Mathias Schreiber almost 10 years ago

  • Assignee set to Helmut Hummel

the Question is:
Is there any way a BE user could ever edit its own TSConfig?

Actions #10

Updated by Helmut Hummel almost 10 years ago

  • Assignee deleted (Helmut Hummel)

Mathias Schreiber wrote:

the Question is:
Is there any way a BE user could ever edit its own TSConfig?

Honestly, I don't care. IMHO the proposed change makes a bad API for a high level configuration thing as TypoScript and we should reduce such API instead of keep adding it. But we have the possiblity in other places already so it would not make much of a difference.

To directly answer your question: Every User with permissions to PageTSCOnfig field on pages would have a fully fledged SQL Interface with this change

Actions #11

Updated by Mathias Schreiber about 9 years ago

  • Subject changed from where clause in pagetree to Deny access to certain pagetypes via TSConfig
  • Target version deleted (6.0.1)
Actions #12

Updated by Oliver Bartsch about 4 years ago

  • Related to Bug #49279: Exclude doktypes from pagetree by user TSconfig added
Actions #13

Updated by Oliver Bartsch about 4 years ago

  • Status changed from Accepted to Closed

Hi,

the functionality to exclude (custom) doktypes was added with #49279.

You can exclude the doktypes with user TSconfig:

options.pageTree.excludeDoktypes

Just verified this on current master. I will close this issue now. If you feel there is still something that is missing, let me know and I will re-open the ticket.

Actions

Also available in: Atom PDF