Bug #71319

IRRE in sys_file_metadata doesn't work for normal users

Added by Sebastian Hofer about 5 years ago. Updated almost 3 years ago.

Status:
Closed
Priority:
Must have
Assignee:
-
Category:
-
Target version:
-
Start date:
2015-11-04
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
6.2
PHP Version:
Tags:
Complexity:
Is Regression:
No
Sprint Focus:

Description

I extended the sys_file_metadata table with an inline field to add some object relations to a file's meta data. This doesn't work for normal users (admins have no problems). By adding a new Relation with the ajax call comes an error and no relation is generated. This causes an "access denied" pop up for the user.

I found the reason for this in the class TYPO3\CMS\Backend\Form\Element\InlineElement. The function checkAccess() returns false in every case because of these lines (2111 to 2114):

$calcPRec = BackendUtility::getRecord('pages', $this->inlineFirstPid);
if (!is_array($calcPRec)) {
    return FALSE;
}

$this->inlineFirstPid is 0 in case of adding an inline element.

The popup message is called in line 1266 in the createNewRecord() function (TYPO3\CMS\Backend\Form\Element\InlineElement), which is called by ajax in this case.

$item = $this->renderForeignRecord($parent['uid'], $record, $config);
if ($item === FALSE) {
    return $this->getErrorMessageForAJAX('Access denied');
}

Related issues

Related to TYPO3 Core - Bug #75748: Editor can't remove images attached to other imagesClosed2016-04-18

Actions
Related to TYPO3 Core - Bug #76229: Missing edit options for non-admin users on references to sys_file_metadataClosed2016-05-18

Actions
Related to TYPO3 Core - Bug #75332: Saving relations to files in sys_file_metadata does not work for normal usersClosed2016-03-31

Actions
Related to TYPO3 Core - Bug #81308: Deleting a referenced file via filelist module, definined in sys_file_metadataClosed2017-05-22

Actions
#1

Updated by Sebastian Hofer about 5 years ago

  • Target version set to next-patchlevel
#2

Updated by Mathias Schreiber about 5 years ago

  • Target version deleted (next-patchlevel)
#3

Updated by Frans Saris about 4 years ago

  • Status changed from New to Needs Feedback

A normal editor isn't allowed to add records to root level. This is where sys_file_metadata and your IRRE records get saved.

It should be possible to disable this security check with TCA like:

$GLOBALS['TCA']['your_table']['ctrl']['security']['ignoreRootLevelRestriction'] = true;
$GLOBALS['TCA']['your_table']['ctrl']['security']['ignoreWebMountRestriction'] = true;
$GLOBALS['TCA']['your_table']['ctrl']['rootLevel'] = -1;
#4

Updated by Ephraim Härer about 4 years ago

Hi, I tried it with the TCA changes but it wont't work with TYPO3 6.2.x.
Is there any other possibility?

#5

Updated by Alexander Opitz almost 4 years ago

  • Status changed from Needs Feedback to New
#6

Updated by Riccardo De Contardi almost 3 years ago

  • Related to Bug #81308: Deleting a referenced file via filelist module, definined in sys_file_metadata added
#7

Updated by Riccardo De Contardi almost 3 years ago

  • Status changed from New to Closed

We're sorry, but we close this issue for now - please look at https://forge.typo3.org/issues/81308#change-356775

if you think that this is the wrong decision, please reopen it or open a new issue with a reference to this one.
Or, as suggested, open a discussion on Slack or decisions.typo3.org
Thank you.

Also available in: Atom PDF