Bug #71243
closedNon-Admins can't edit content
100%
Description
After having the UI improvement to hide all actions which can't be taken by a user, we now see the situtation that users aren't able to edit content at all.
The reason is wrong permission evaluation in the Page module.
Setup and permissions
Rootpage (owner: admin, group: editors; group-perms: show page, edit content)
- page 1 (owner: user; all perms)
- page 2 (owner: user; all perms)
The "user" has the rootpage as webmount.
Analysis¶
The code in typo3/sysext/backend/Classes/View/PageLayoutView.php:421 evaluates the page permissions. It uses ext_CALC_PERMS
which is 31 (all permissions). The issue is that this line will check if the current page is part of the webmounts of the user, where the rootline selection is using the permissions as specificed. Since the user does not have 31 permission on the root page, which effectively causes the rootpage not to be part of the rootline for (e.g. page 2) and hence the isInWebmount() check returns false finally causing the pageinfo to be false
.
Updated by Markus Klein almost 9 years ago
- Assignee changed from Markus Klein to Mathias Schreiber
Updated by Gerrit Code Review almost 9 years ago
- Status changed from Accepted to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/44476
Updated by Gerrit Code Review almost 9 years ago
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/44476
Updated by Wolfgang Wagner almost 9 years ago
Is it possible, that this issue has something to with that? https://forge.typo3.org/issues/71148
Updated by Mathias Schreiber almost 9 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset d0b1835e12ee3e0a39e21ee55b08dca178eb8822.
Updated by Riccardo De Contardi almost 7 years ago
- Status changed from Resolved to Closed