Bug #65615
open
Epic #90674: Backend UI not reflecting permissions
Editors can sort pages in module functions - they can see and sort restricted pages like templates
Added by Andrea Herzog-Kienast over 9 years ago.
Updated over 4 years ago.
Category:
Backend User Interface
Description
Hi,
IMHO it is not a good idea to let editors see pages, they are not allowed to see. In the pagetree, they are not allowed to see restricted pages like template folders - but in module funktions they can see those data if they chose "Functions -> Sort pages".
Ok, thoses pages and folders are marked with W! - but what does this tell to an editor.
And if he sorts the pages, those pages are affected.
As an admin I do not like to see the editor putting my pages on another position.
As I can't add images inline, example image is attached.
This behaviour is tested in 6.2 and 7.1.
Files
- Project changed from TYPO3 Core to 1716
- Category deleted (
Backend User Interface)
- Affected Version set to v6.2
- TYPO3 Version changed from 7 to 6.2
- Category set to OW-A05: Broken Access Control
- Priority changed from Must have to Should have
- Target version set to elts
- TYPO3 Version changed from 6.2 to 8
- Affected Version changed from v6.2 to v6.2, v7, v8, v9, master
Reproducible with master (pre 10.0-dev) with the scenario
- all pages can be edited
- except one (that's the important point)
TYPO3 technically behaves correctly and does not change sorting order of that page - but of all other pages that are allowed to be edited.
- Status changed from New to Accepted
- Target version changed from elts to Release January 2019
In case one of the candidates to be reordered cannot be changed, the whole sorting action should fail with according error message.
Actually this is not a security issue... the impact is only on "availability" which might lead to DoS scenarios, but highly depends on how the site is organized and configured in general.
- Project changed from 1716 to TYPO3 Core
- Category deleted (
OW-A05: Broken Access Control)
- Target version deleted (
Release January 2019 )
- Project changed from TYPO3 Core to 1716
- Target version set to public
- Project changed from 1716 to TYPO3 Core
- Target version deleted (
public)
- Parent task set to #90674
- Category set to Backend User Interface
Also available in: Atom
PDF