Bug #63337
closed
Missing User-rights-Management: User can edit all extension flexforms without sufficient rights
0%
Description
Hi,
following situation.
Fresh installation of TYPO3 6.2.6, install the extensions news and macina_bannermanagement ( or any other extensions with flexform configuration )
Create a usergroup and allow them with "[Allow] Insert Plugin" and "[Allow] Bannermodule" to use the Plugin Bannermodule. Now my expectation is, that the user only can insert/read/update/delete the Plugin Bannermodule,
BUT he can also edit the flexform of News and any other Extensions with flexform configuration, which insert a User or Admin with sufficient rights.
The DropDown of plugins has the value "[ INVALID VALUE ("news_pi1") ]" but the User can save and change any configuration.
Best Regards
Sven
Updated by Georg Ringer almost 10 years ago
- Project changed from TYPO3 Core to 1716
Updated by Helmut Hummel over 9 years ago
Discussed this at the security sprint in Leeuwarden.
It would be nice to improve the access management here. But the current state is widely known and dealt with.
If somebody wants to improve the situation, we appreciate it. But we will and cannot handle that in our private workflow.
Updated by Helmut Hummel over 9 years ago
- Project changed from 1716 to TYPO3 Core
- Is Regression set to No
Updated by Riccardo De Contardi almost 7 years ago
- Related to Bug #43593: Rights to change denied plugins added
Updated by Georg Ringer over 4 years ago
- Related to Task #88496: Replace switchable controller actions terminology added
Updated by Georg Ringer over 4 years ago
- Status changed from New to Closed
with #88496 switchable controller actions have been deprecated, therefore I am closing this issue as well.
Updated by Sven Juergens over 4 years ago
after such a long time still a feedback to it :)
But is it really true that the patch changes the editor access to the plugins?