Bug #75332

Saving relations to files in sys_file_metadata does not work for normal users

Added by Tobias Gaertner over 3 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
File Abstraction Layer (FAL)
Target version:
-
Start date:
2016-03-31
Due date:
% Done:

0%

TYPO3 Version:
6.2
PHP Version:
Tags:
Complexity:
Is Regression:
No
Sprint Focus:

Description

TYPO3 6.2.19

I have extended the sys_file_metadata table with a field which is a file relation.
When I am logged in as admin user everything works fine, I can create relations to other files and store them.
When I am logged in as a normal, nonadmin user (with all possible access rights), I get an "Access Denied" alert and can not save the relation.

Here a minimal setup:

myext/Configuration/Overrides/sys_file_reference.php

<?php
if (!defined('TYPO3_MODE')) die ('Access denied.');

$tca = array(
    'ctrl' => array(
        'rootLevel' => -1, // Otherwise File Reference will not work between files.
    ),
);

// Disable the File Upload in IRRE since it can not be configured the target storage.
$GLOBALS['TCA']['sys_file_reference']['columns']['uid_local']['config']['appearance']['fileUploadAllowed'] = FALSE;

\TYPO3\CMS\Core\Utility\ArrayUtility::mergeRecursiveWithOverrule($GLOBALS['TCA']['sys_file_reference'], $tca);

myext/Configuration/Overrides/sys_file_metadata.php

<?php
if (!defined('TYPO3_MODE')) die ('Access denied.');

if (\TYPO3\CMS\Core\Utility\ExtensionManagementUtility::isLoaded('filemetadata')) {
    $configuration = '--div--;LLL:EXT:hszg_documents/Resources/Private/Language/locallang.xlf:tab.documents, files';
    \TYPO3\CMS\Core\Utility\ExtensionManagementUtility::addToAllTCAtypes('sys_file_metadata', $configuration);
}

parent_file.png View - Parent file opened in filelist (55.8 KB) Sascha Maier, 2017-05-23 18:04

referenced_file.png View - Referenced file opened out from parent file form (75.5 KB) Sascha Maier, 2017-05-23 18:04

parent_file_override_metadata.png View - Override metadata in of referenced file in parent file form (56.7 KB) Sascha Maier, 2017-05-23 18:04


Related issues

Related to TYPO3 Core - Bug #71319: IRRE in sys_file_metadata doesn't work for normal users Closed 2015-11-04
Related to TYPO3 Core - Bug #81308: Deleting a referenced file via filelist module, definined in sys_file_metadata Closed 2017-05-22
Duplicated by TYPO3 Core - Bug #76229: Missing edit options for non-admin users on references to sys_file_metadata Closed 2016-05-18

History

#1 Updated by Tobias Gaertner over 3 years ago

there is already a discussion with also some possible reasons about that here: https://forum.typo3.org/index.php?t=msg&th=208963

#2 Updated by Stephan Großberndt over 3 years ago

  • Subject changed from FAL realtions between files in sys_file_metadata does not work an editor to Saving relations to files in sys_file_metadata do not work for normal users
  • Category set to File Abstraction Layer (FAL)

#3 Updated by Stephan Großberndt over 3 years ago

  • Subject changed from Saving relations to files in sys_file_metadata do not work for normal users to Saving relations to files in sys_file_metadata does not work for normal users

#4 Updated by Ephraim Härer about 3 years ago

Hello,
are there any updates or bugfixes I can implement to fix this problem?

#5 Updated by Frans Saris about 3 years ago

Could you try to add this to your TCA overrides:

$GLOBALS['TCA']['your_table']['ctrl']['security']['ignoreRootLevelRestriction'] = true;
$GLOBALS['TCA']['your_table']['ctrl']['security']['ignoreWebMountRestriction'] = true;
$GLOBALS['TCA']['your_table']['ctrl']['rootLevel'] = -1;

so for sys_file_reference:

$GLOBALS['TCA']['sys_file_reference']['ctrl']['security']['ignoreRootLevelRestriction'] = true;
$GLOBALS['TCA']['sys_file_reference']['ctrl']['security']['ignoreWebMountRestriction'] = true;
$GLOBALS['TCA']['sys_file_reference']['ctrl']['rootLevel'] = -1;

#6 Updated by Martin Voss about 3 years ago

@Frans Saris I just tested the TCA overrides you suggest - unfortunately, they do not help. I think the problem lies elsewhere: #76229 (which you closed as a duplicate of this issue).

#7 Updated by Ephraim Härer about 3 years ago

I couldn't get it work with this TCA settings, too.

#8 Updated by Online Now! GmbH over 2 years ago

The file references on file meta data are stored with the page uid of the parent record. This is page uid 0. Only admin users have access to that page. Therefore normal editors cant edit any inline file references on file meta data stored on page 0.

The extenstion "DAM" handled this differently with storing the file and meta data on a normal sys folder. The relations did not even use a pid.

I tried to implement a workaround in 7.6 LTS by using the "tceformsInlineHook", but i cant really rebuild the missing icons with that, because of limited incoming data to the hook. Basically missing is creating the correct object id for the data attribute on the buttons.

Another workaround would be the TCA option "foreign_record_defaults". But unfortunately, the field "pid" is not allowed there.

The suggested TCA settings dont work.

So last option is to hack the core ( bypass permission check "sys_file_reference" table ) until there is a solution for this behavior.

Possible solutions:

- Store file meta data on a regular page / folder like DAM
- Allow the attribute "pid" in TCA option "foreign_record_defaults"
- Bypass permission check in file list when using inline relation for "sys_file_reference" / "sys_file_metadata" table

#9 Updated by Sascha Maier over 2 years ago

Checked on a fresh install version 8 LTS and 9.0.0-dev with the following TCA:

\TYPO3\CMS\Core\Utility\ExtensionManagementUtility::addTCAcolumns('sys_file_metadata', array(
    'attachments' => array(
        'exclude' => 1,
        'label' => 'LLL:EXT:as_formular_center/Resources/Private/Language/locallang_be.xlf:sys_file_metadata.as_attachments',
        'config' => \TYPO3\CMS\Core\Utility\ExtensionManagementUtility::getFileFieldTCAConfig(
            'files',
            array(
                'appearance' => array(
                    'createNewRelationLinkTitle' => 'LLL:EXT:cms/locallang_ttc.xlf:files.addFileReference'
                )
            )
        )
    )
));
\TYPO3\CMS\Core\Utility\ExtensionManagementUtility::addToAllTCAtypes('sys_file_metadata', 'attachments', '', 'after:source');

got a edit button in the backend and can edit the metadata with a "non-admin" user. May be the problem is solved in newer versions and could be closed?

Unfortunately the delete button is missing, i will open a separate bug ticket for this.

#10 Updated by Tobias Gaertner over 2 years ago

Good news! But it would be nice to fix this in at least TYPO3 7. Our client suffers now a long time already AND will still because it will take a long while until this project will be V.8 !!!

#11 Updated by Sascha Maier over 2 years ago

Checked out a fresh 7.6.19-dev, and the relations working. Only the delete button is missing, opened bug #81308 on this.

My workflow:
  • checked out: git clone git://git.typo3.org/Packages/TYPO3.CMS.git .
  • switched to branch TYPO3_7-6
  • installed via install tool with new database
  • created a non admin-user
  • installed out extension with the referenced files (see former post)
  • installed extension advanced metadata
  • created a group with access to the needed tables
  • assign group to user
  • switch to non admin user
  • uploaded a file
  • add referenced files to the uploaded via TBE file selector
  • saved file
  • opened referenced file by click on the pencil, in the opened parent file form.
  • changed metadata
  • saved

All testet in a "TYPO3 Docker Boilerplate". Attached a few screenshost to avoid talking about different problems. Hope this helps you.

#12 Updated by Tobias Gaertner over 2 years ago

I will try to confirm this - when I find time

#13 Updated by Riccardo De Contardi almost 2 years ago

  • Related to Bug #81308: Deleting a referenced file via filelist module, definined in sys_file_metadata added

#14 Updated by Riccardo De Contardi almost 2 years ago

  • Status changed from New to Closed

We're sorry, but we close this issue for now - please look at https://forge.typo3.org/issues/81308#change-356775

if you think that this is the wrong decision, please reopen it or open a new issue with a reference to this one.
Or, as suggested, open a discussion on Slack or decisions.typo3.org
Thank you.

Also available in: Atom PDF