Project

General

Profile

Actions

Bug #63337

closed

Missing User-rights-Management: User can edit all extension flexforms without sufficient rights

Added by Sven Juergens over 9 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2014-11-26
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
6.2
PHP Version:
Tags:
Complexity:
Is Regression:
No
Sprint Focus:

Description

Hi,

following situation.
Fresh installation of TYPO3 6.2.6, install the extensions news and macina_bannermanagement ( or any other extensions with flexform configuration )
Create a usergroup and allow them with "[Allow] Insert Plugin" and "[Allow] Bannermodule" to use the Plugin Bannermodule. Now my expectation is, that the user only can insert/read/update/delete the Plugin Bannermodule,
BUT he can also edit the flexform of News and any other Extensions with flexform configuration, which insert a User or Admin with sufficient rights.
The DropDown of plugins has the value "[ INVALID VALUE ("news_pi1") ]" but the User can save and change any configuration.

Best Regards
Sven


Related issues 2 (0 open2 closed)

Related to TYPO3 Core - Bug #43593: Rights to change denied pluginsClosed2012-12-04

Actions
Related to TYPO3 Core - Task #88496: Replace switchable controller actions terminologyClosedAlexander Schnitzler2019-06-05

Actions
Actions #1

Updated by Georg Ringer over 9 years ago

  • Project changed from TYPO3 Core to 1716
Actions #2

Updated by Helmut Hummel almost 9 years ago

Discussed this at the security sprint in Leeuwarden.

It would be nice to improve the access management here. But the current state is widely known and dealt with.

If somebody wants to improve the situation, we appreciate it. But we will and cannot handle that in our private workflow.

Actions #3

Updated by Helmut Hummel almost 9 years ago

  • Project changed from 1716 to TYPO3 Core
  • Is Regression set to No
Actions #4

Updated by Riccardo De Contardi over 6 years ago

  • Related to Bug #43593: Rights to change denied plugins added
Actions #5

Updated by Georg Ringer over 4 years ago

  • Related to Task #88496: Replace switchable controller actions terminology added
Actions #6

Updated by Georg Ringer over 4 years ago

  • Status changed from New to Closed

with #88496 switchable controller actions have been deprecated, therefore I am closing this issue as well.

Actions #7

Updated by Sven Juergens over 4 years ago

after such a long time still a feedback to it :)

But is it really true that the patch changes the editor access to the plugins?

Actions

Also available in: Atom PDF