Bug #62282
closed
The create file form should not be shown if editors are not allowed to add text files
0%
Description
This issue may need discussion, how it was planed to work.
The usage scenario: We want that user can upload a file but they shouldn't have a way to add files on the system (the part under the add folder).
Issues:
- Upgrade from 4.5
- The permission update do not set upload file access rights.
- Buttons
- In context menu the upload menu point depends on upload file right.
- In list module the upload button depends on add file rights.
- Upload functionality
- First upload file rights is checked and then the add file rights. In the write process the add file rights are checked again.
- Conclusion
- You need add file and upload file rights.
- The rights are handled differently
- No way for given usage scenario.
Files
Updated by Gerrit Code Review over 9 years ago
- Status changed from New to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/33336
Updated by Frans Saris over 9 years ago
Maybe we can change the behaviour of the ResourceStorage a little so the add permission isn't checked when the file is added through addUploadedFile() as this has it's own permission check.
Updated by Alexander Opitz over 9 years ago
This may be the planned thing but thats what needs the most changes.
So I'd like to get more information how it was planned to work. And if we can backport it to 6.2 as it would be more or less a breaking change.
Updated by Frans Saris over 9 years ago
I was not involved in the first steps of the FAL project. So I don't know how it was planned to work.
Updated by Helmut Hummel over 9 years ago
Alexander Opitz wrote:
The usage scenario: We want that user can upload a file but they shouldn't have a way to add files on the system (the part under the add folder).
I don't understand this scenario. Can you elaborate? Where should the file end up after upload, when users should not have add permissions?
- Buttons
- In context menu the upload menu point depends on upload file right.
Can you point me to the place in code where this is the case? I can't find any usage of checking for upload permissions
- In list module the upload button depends on add file rights.
This is correct.
- Upload functionality
- First upload file rights is checked and then the add file rights. In the write process the add file rights are checked again.
Same here: I can't find a place where upload permissions are checked.
Updated by Helmut Hummel over 9 years ago
- Status changed from Under Review to Needs Feedback
Frans Saris wrote:
I was not involved in the first steps of the FAL project. So I don't know how it was planned to work.
"upload" permissions do not exist and if they exist it is a bug. (they are in permission settings, which is wrong)
A canonical list of existing permissions can be found in BackendUserAuthentication::getFilePermissions()
Anything else should not exist (this is how it is meant to be).
Updated by Alexander Opitz over 9 years ago
- File files_upload_right.png files_upload_right.png added
Here you can see the backend option dialog.
Updated by Alexander Opitz over 9 years ago
About the buttons I was a bit confused by the ClickMenu disabledItems from
but this differs from
where the comment sounds a bit other.
Updated by Alexander Opitz over 9 years ago
What we like to have is the possibility to upload files but don't have the add file formular in file_newfolder.php
Updated by Helmut Hummel over 9 years ago
Alexander Opitz wrote:
About the buttons I was a bit confused by the ClickMenu disabledItems from
but this differs from
where the comment sounds a bit other.
OK, ClickMenu disabledItems is something completely different and only represents a UI change, not the permission system for FAL.
What is also missing in the click menu is a check for file add permissions on the folder
Updated by Helmut Hummel over 9 years ago
Alexander Opitz wrote:
What we like to have is the possibility to upload files but don't have the add file formular in file_newfolder.php
You you want to allow uploading of files but prohibit creation of (text) files. Is that correct?
From a security perspective, both are the same. It does not make any difference if I create a file on my local computer and am allowed to upload it or create the same file through a backend UI (without uploading it). Also the result is exactly the same.
To conclude what needs to be fixed:
- Add check folder action permission "add" to ClickMenu
- Remove "upload" permission setting in be_users/be_groups as it is there by accident and does not do anything at all (add file permission is intentionally the one that is evaluated)
Regarding your use case: As far as I understood, this is no FAL permission issue any more, but only a UI customization issue. In that area I won't object any reasonable change. Maybe Felix could make a statement on that.
Updated by Andreas Kiessling over 9 years ago
Helmut Hummel wrote:
Alexander Opitz wrote:
What we like to have is the possibility to upload files but don't have the add file formular in file_newfolder.php
You you want to allow uploading of files but prohibit creation of (text) files. Is that correct?
From a security perspective, both are the same. It does not make any difference if I create a file on my local computer and am allowed to upload it or create the same file through a backend UI (without uploading it). Also the result is exactly the same.
This is not about any security matters, but about disabling what is not needed.
We only want to allow uploading images and pdf files. That was requested by the customer and goes along with setting
$TYPO3_CONF_VARS['BE']['fileExtensions']['webspace']['allow'] = 'png,gif,jpg,jpeg,pdf'; $TYPO3_CONF_VARS['BE']['fileExtensions']['webspace']['deny'] = '*';
For an admin, it may sometimes be necessary to edit text files from the backend, but does the regular editor even know what half of these extensions mean?
Create a new textfile [*.txt, *.ts, *.html, *.htm, *.css, *.tmpl, *.js, *.sql, *.xml, *.csv, *.xlf]
With the current config you get the input to create a file, but after trying to do so, this message is shown:
Extension of file "bla.txt" was not allowed!
So yes, we really want to get rid of this input for our backend users :)
Updated by Helmut Hummel over 9 years ago
- Subject changed from User with upload rights but without add rights can't upload a file. to The create file form should not be shown if editors are not allowed to add text files
- Status changed from Needs Feedback to Accepted
Andreas Kiessling wrote:
So yes, we really want to get rid of this input for our backend users :)
Thanks for the clarification
So, what you are looking for is an additional option to disable the UI for this form or maybe a possibility for an extended permission check API in FAL which also considers file extensions.
In any case, this line here must be adapted accordingly:
Updated by Alexander Opitz over 9 years ago
After discussion, this issue splits in 3 smaller issues:
- Remove the permission settings for the non existing file_upload: #63096
- Fix the "upload" click menu handling
- Build a way to disable the "new file" ui part.
Updated by Tymoteusz Motylewski over 7 years ago
looks like the connected issue was resolved.
Can this issue be closed?
Updated by Alexander Opitz over 7 years ago
The connected issue was only one part of all, but will discuss with Andreas maybe tomorrow and test if the other parts got already resolved somewhere or is more needed.
Updated by Alexander Opitz over 7 years ago
- Assignee set to Alexander Opitz
As we update this customer system in the next weeks, I'll check this up.
Updated by Mona Muzaffar over 6 years ago
- Status changed from Accepted to Needs Feedback
Updated by Alexander Opitz over 6 years ago
- Status changed from Needs Feedback to Closed
- Assignee deleted (
Alexander Opitz)
To old and many changes in that area, so closing.