Bug #73146
closedStory #69617: FormEngine bugs
Permissions for inline records are not checked
100%
Description
Hello,
I have a configuration record with inline relations to sys_domain and be_users. Here a snippet of the be_user field of my TCA:
'editors' => array( 'exclude' => 1, 'label' => 'LLL:EXT:drstmplmodule/Resources/Private/Language/locallang_db.xlf:tx_drstmplmodule_domain_model_configuration.editors', 'config' => array( 'type' => 'inline', 'foreign_table' => 'be_users', 'foreign_sortby' => 'sorting', 'foreign_types' => array( '0' => array('showitem' => 'disable, username, realName, password, email') ), 'MM' => 'tx_drstmplmodule_configuration_editor_mm', 'minitems' => 1, 'maxitems' => 25, 'appearance' => array( 'newRecordLinkAddTitle' => true ) ), ),
An editor should only edit two textfields of the configuration record. He has NO access (read and write) to the related tables "sys_domain"/"be_users" AND he has NO rights to the fields "domains"/"editors" of the configuration record.
So why TYPO3 throws a message while opening the edit form: "Sorry, you didn't have proper permissions to perform this change. No table modify permission for user 9 on table be_users 1437683248"?
I thought, if a field is not valid for current user to "edit", it will not be displayed?!?!
Maybe I have found something regarding this problem in Core. Have a look into TcaInline.php method addData(). Without checking any permissions this method just tries to build the edit form for the related records at $this->resolveRelatedRecords().
Stefan