Bug #73146
closed
Story #69617: FormEngine bugs
Permissions for inline records are not checked
100%
Description
Hello,
I have a configuration record with inline relations to sys_domain and be_users. Here a snippet of the be_user field of my TCA:
'editors' => array(
'exclude' => 1,
'label' => 'LLL:EXT:drstmplmodule/Resources/Private/Language/locallang_db.xlf:tx_drstmplmodule_domain_model_configuration.editors',
'config' => array(
'type' => 'inline',
'foreign_table' => 'be_users',
'foreign_sortby' => 'sorting',
'foreign_types' => array(
'0' => array('showitem' => 'disable, username, realName, password, email')
),
'MM' => 'tx_drstmplmodule_configuration_editor_mm',
'minitems' => 1,
'maxitems' => 25,
'appearance' => array(
'newRecordLinkAddTitle' => true
)
),
),
An editor should only edit two textfields of the configuration record. He has NO access (read and write) to the related tables "sys_domain"/"be_users" AND he has NO rights to the fields "domains"/"editors" of the configuration record.
So why TYPO3 throws a message while opening the edit form: "Sorry, you didn't have proper permissions to perform this change. No table modify permission for user 9 on table be_users 1437683248"?
I thought, if a field is not valid for current user to "edit", it will not be displayed?!?!
Maybe I have found something regarding this problem in Core. Have a look into TcaInline.php method addData(). Without checking any permissions this method just tries to build the edit form for the related records at $this->resolveRelatedRecords().
Stefan
Updated by 
Updated by 
Updated by 
Updated by