Bug #71243
closedNon-Admins can't edit content
100%
Description
After having the UI improvement to hide all actions which can't be taken by a user, we now see the situtation that users aren't able to edit content at all.
The reason is wrong permission evaluation in the Page module.
Setup and permissions
Rootpage (owner: admin, group: editors; group-perms: show page, edit content)
- page 1 (owner: user; all perms)
- page 2 (owner: user; all perms)
The "user" has the rootpage as webmount.
Analysis¶
The code in typo3/sysext/backend/Classes/View/PageLayoutView.php:421 evaluates the page permissions. It uses ext_CALC_PERMS
which is 31 (all permissions). The issue is that this line will check if the current page is part of the webmounts of the user, where the rootline selection is using the permissions as specificed. Since the user does not have 31 permission on the root page, which effectively causes the rootpage not to be part of the rootline for (e.g. page 2) and hence the isInWebmount() check returns false finally causing the pageinfo to be false
.