Feature #37673
closedDeny access to certain pagetypes via TSConfig
Added by Juan Manuel over 12 years ago. Updated about 4 years ago.
0%
Description
Hi, I would like that class.t3lib_tree_pagetree_dataprovider.php could have Typoscript configuration for getWhereClause adding to the end some like
$where .= ' '. $GLOBALS['BE_USER']->getTSConfigVal('options.myOwnWhereClause'); //AND doktype!=200
or
$where .= ' '. $GLOBALS['TYPO3_CONF_VARS']['BE']['pageTree']['myOwnWhereClause'] //AND doktype!=200
Regards
Files
patch_custom_doktype (236 Bytes) patch_custom_doktype | Juan Manuel, 2012-07-24 14:24 |
Updated by Jigal van Hemert over 12 years ago
- Status changed from New to Needs Feedback
- Target version deleted (
4.5.17) - Estimated time deleted (
2.00 h)
A small note: features can only go in the version which is currently under development (6.0).
What is the use case for this feature? Why would you add an extra condition to the query?
Just adding an extra clause this way could easily lead to security issues. If this is a useful feature it must be implemented in a secure way.
Updated by Stefan Galinski over 12 years ago
Hi Jigal,
he asked me about this feature and told me that he wants to introduce additional page types that should not be displayed in the pagetree. IMHO such a feature could be a generally easy way to hide pages based on additional filters. Where do you see security problems (it would be an admin option)?
Updated by Juan Manuel over 12 years ago
I could be happy if you release this code in the next 4.5.18 version
t3lib/tree/pagetree/class.t3lib_tree_pagetree_dataprovider.php
Thank you
Updated by Juan Manuel over 12 years ago
- File patch_custom_doktype patch_custom_doktype added
Updated by Jigal van Hemert over 12 years ago
- Status changed from Needs Feedback to Accepted
- Target version set to 6.0.0-alpha3
Security problems always come later. When there is an access problem and the options someone has access to are too powerful there are serious problems.
I suggest options.pageTree.hideDoktypes as a comma separated list of doktypes. This we can filter for integers and add as an IN condition.
About backporting: it is not a real problem to add this to older branches, but each of the RM should agree...
Updated by Juan Manuel over 12 years ago
Jigal van Hemert wrote:
Security problems always come later. When there is an access problem and the options someone has access to are too powerful there are serious problems.
I suggest options.pageTree.hideDoktypes as a comma separated list of doktypes. This we can filter for integers and add as an IN condition.
About backporting: it is not a real problem to add this to older branches, but each of the RM should agree...
You are right, patch_custom_doktype file is done with IN but without filter. Take a look when you can ;)
Updated by Ernesto Baschny over 12 years ago
- TYPO3 Version changed from 4.5 to 6.0
While it sounds like useful, we won't have this in 4.5.x at all. As with all minor releases of TYPO3, we won't be adding new features (new options, configuration) in patchlevel releases. See this explanation of our release policy:
http://typo3.org/teams/core-development-team/resources/release-workflow/
So your new feature must enter the currently being developed 6.0 (or later).
Updated by Helmut Hummel almost 12 years ago
- Target version changed from 6.0.0-alpha3 to 6.0.1
Updated by Mathias Schreiber almost 10 years ago
- Assignee set to Helmut Hummel
the Question is:
Is there any way a BE user could ever edit its own TSConfig?
Updated by Helmut Hummel almost 10 years ago
- Assignee deleted (
Helmut Hummel)
Mathias Schreiber wrote:
the Question is:
Is there any way a BE user could ever edit its own TSConfig?
Honestly, I don't care. IMHO the proposed change makes a bad API for a high level configuration thing as TypoScript and we should reduce such API instead of keep adding it. But we have the possiblity in other places already so it would not make much of a difference.
To directly answer your question: Every User with permissions to PageTSCOnfig field on pages would have a fully fledged SQL Interface with this change
Updated by Mathias Schreiber about 9 years ago
- Subject changed from where clause in pagetree to Deny access to certain pagetypes via TSConfig
- Target version deleted (
6.0.1)
Updated by Oliver Bartsch about 4 years ago
- Related to Bug #49279: Exclude doktypes from pagetree by user TSconfig added
Updated by Oliver Bartsch about 4 years ago
- Status changed from Accepted to Closed
Hi,
the functionality to exclude (custom) doktypes was added with #49279.
You can exclude the doktypes with user TSconfig:
options.pageTree.excludeDoktypes
Just verified this on current master. I will close this issue now. If you feel there is still something that is missing, let me know and I will re-open the ticket.