TYPO3 Core

Some more actions which should not be allowed to restricted users:
- via QuickEdit/[edit page properties]/'Move page'-button its possible to copy the page.
- via QuickEdit/[edit page properties]/'View record change history'-button its possible to change the page record.
- the user can manually call /typo3/sysext/cms/layout/db_layout.php?id=XX to edit the page record
- the same for history/undo: even if this entry in context menu is hidden the user could manually call the history modul via /typo3/show_rechis.php?element=pages:XX

I can confirm this for 6.0.x & 4.6.x

Patch from #47126 (thanks Frank) works, we only need a solution for this specific issue.

I did some research on this and found a simple solution for the main issue discovered by Philipp.
This solution does NOT solve the additional issues reported by Frank.

Page Module
Open typo3/sysext/backend/Classes/Controller/PageLayoutController.php and search for

// Edit page properties
if ($this->CALC_PERMS & 2) {

// Edit page properties
if ($this->CALC_PERMS & 2 && $GLOBALS['BE_USER']->checkLanguageAccess(0)) {

List Module
Open typo3/sysext/recordlist/Classes/RecordList/DatabaseRecordList.php and search for

// If edit permissions are set (see class.t3lib_userauthgroup.php)
if ($localCalcPerms & 2 && !empty($this->id)) {

// If edit permissions are set (see class.t3lib_userauthgroup.php)
if ($localCalcPerms & 2 && !empty($this->id) && $GLOBALS['BE_USER']->checkLanguageAccess(0)) {

My Question is how to put this to the review System? Could someone give me a hint/link to a documentation?

Thanks for your findings.

Have a look here:
http://wiki.typo3.org/Contribution_Walkthrough_Tutorials

Hi Philipp,

thanks for your help. A few seconds ago I pushed my first patch to Gerrit :)
Hope everything is right.

Patch set 1 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/20453

Patch set 1 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/20454

Patch set 1 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/21143

Patch set 1 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/21144

I pushed a new patch to gerrit, which respects the new 6.2 and 4.5/4.7 for backporting.
I also changed two files mentioned by Dmitry.

Sorry for creating a new issue in Gerrit. How can I push a new patch set 2 for an existing one? (I am using TortoiseGit)

@Henrik: Just push to the same branch (for example master) and leave the Commit-Id unchanged. Gerrit will then know you're posting just a new revision and not a new patch.
Upon backports you'll then push to a different branch but still leave the Commit-Id unchanged. That will create a separate patch but will help keep track of the backport and it's siblings.

Patch set 2 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/20454

Sorry for my messy pushes and thanks to Stefan for the hint.

Now I got it right and pushed patch set 2 to the originally created issue and abandoned the other one to keep the comments.

any progress?

Well just stumbled across this "bug" in TYPO3 6.2.4
Nasty! Some progress on this would be fine.

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/20454

Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/20454

Patch set 5 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/20454

Patch set 6 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/20454