Bug #73146

Story #69617: FormEngine bugs

Permissions for inline records are not checked

Added by Stefan Froemken over 5 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
FormEngine aka TCEforms
Target version:
Start date:
2016-02-05
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
7
PHP Version:
5.6
Tags:
Complexity:
easy
Is Regression:
No
Sprint Focus:

Description

Hello,

I have a configuration record with inline relations to sys_domain and be_users. Here a snippet of the be_user field of my TCA:

'editors' => array(
    'exclude' => 1,
    'label' => 'LLL:EXT:drstmplmodule/Resources/Private/Language/locallang_db.xlf:tx_drstmplmodule_domain_model_configuration.editors',
    'config' => array(
        'type' => 'inline',
        'foreign_table' => 'be_users',
        'foreign_sortby' => 'sorting',
        'foreign_types' => array(
            '0' => array('showitem' => 'disable, username, realName, password, email')
        ),
        'MM' => 'tx_drstmplmodule_configuration_editor_mm',
        'minitems' => 1,
        'maxitems' => 25,
        'appearance' => array(
            'newRecordLinkAddTitle' => true
        )
    ),
),

An editor should only edit two textfields of the configuration record. He has NO access (read and write) to the related tables "sys_domain"/"be_users" AND he has NO rights to the fields "domains"/"editors" of the configuration record.

So why TYPO3 throws a message while opening the edit form: "Sorry, you didn't have proper permissions to perform this change. No table modify permission for user 9 on table be_users 1437683248"?

I thought, if a field is not valid for current user to "edit", it will not be displayed?!?!

Maybe I have found something regarding this problem in Core. Have a look into TcaInline.php method addData(). Without checking any permissions this method just tries to build the edit form for the related records at $this->resolveRelatedRecords().

Stefan

#1

Updated by Gerrit Code Review over 5 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/46499

#2

Updated by Gerrit Code Review about 5 years ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/46499

#3

Updated by Gerrit Code Review about 5 years ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/46499

#4

Updated by Gerrit Code Review about 5 years ago

Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/46499

#5

Updated by Mathias Schreiber about 5 years ago

  • Parent task set to #69617
#6

Updated by Gerrit Code Review about 5 years ago

Patch set 5 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/46499

#7

Updated by Gerrit Code Review about 5 years ago

Patch set 6 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/46499

#8

Updated by Gerrit Code Review about 5 years ago

Patch set 7 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/46499

#9

Updated by Gerrit Code Review about 5 years ago

Patch set 1 for branch TYPO3_7-6 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/47456

#10

Updated by Stefan Froemken about 5 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
#11

Updated by Riccardo De Contardi over 3 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF