Project

General

Profile

Actions

Bug #78860

open

Epic #90674: Backend UI not reflecting permissions

"Page edit" permissions not enough to "media" field in page properties

Added by Thomas Imhof over 7 years ago. Updated about 12 hours ago.

Status:
Under Review
Priority:
Must have
Assignee:
-
Category:
Backend API
Target version:
-
Start date:
2016-12-02
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
7
PHP Version:
Tags:
Complexity:
Is Regression:
No
Sprint Focus:

Description

There is a problem with the user permission, the problem is if I set the access rights for a page only to "Edit page" and not "Edit content" there is a error message if I use the media field other an other FAL field in page settings.

The Problem is the method "\TYPO3\CMS\Backend\Form\FormDataProvider\DatabaseUserPermissionCheck::addData" check if there is an record which isn't from typ "pages" and if there is permission to "Edit content" for this PID. This part of code is on line 128-138.

There was the same problem in TYPO3 6.2 but in the old class for permission check. This ticket was resolved, but now there is the same problem with the TYPO3 7 LTS.

Previous problem in version 6.2: https://forge.typo3.org/issues/66702


Files


Related issues 1 (0 open1 closed)

Related to TYPO3 Core - Bug #66702: "Page edit" permissions not enough to "media" field in page propertiesClosedMichael Oehlhof2015-05-01

Actions
Actions #1

Updated by Riccardo De Contardi almost 7 years ago

  • Status changed from New to Needs Feedback

I tried to reproduce the problem on 7.6.18 with the following test

1) create an "editors" usergroup and an "editor" user; assign "editor" to "editors"
2) I gave "editors" full control on every table (Access Control List)
3) I created a page with the following permission

  • owner: admin (full)
  • group: editors
    • Show page: yes
    • Edit content: no
    • Edit page: yes
    • Delete page: no
    • New pages: no
  • everybody: no permission

4) switch user to editor > edit the page created at point 3
5) Tab "Resources"> Media > add relation

Result: I was able to add an image without error messages.

Do you think that this is sufficient, or a different test should be performed?

Updated by Thomas Imhof almost 7 years ago

Thanks for the feedback.

I tested the problem now in a clean 7.6.19 and a clean 8.7.2 installation and I have still the same problem. But I have a little bit different setup with the users. My setup contains two editor users (+ admin):

1) Create two editor users "editor" and "page" and an usergroup "editor"
2) Both users have the groupe "editor"
3) The user page is the owner of the page
4) I work with the user "editor"
5) The Group has following permission (screenshot)

  • owner: page
  • group: editor
    • Show page: yes
    • Edit content: no
    • Edit page: yes
    • Delete page: no
    • New pages: no

6) switch to editor
7) Edit the page, go to Tab "Resources"> Media
8) try to add a reference -> get a code 500 (screenshot)
9) Add image as admin
10) Try to edit the page property -> get permission error (screenshot)

Now I made only for this an empty project and it's still the same.

Actions #3

Updated by Riccardo De Contardi almost 7 years ago

  • Status changed from Needs Feedback to New
Actions #4

Updated by Riccardo De Contardi almost 6 years ago

This issue is still reproducible on both 8.7.17 and 9.4-dev (latest master) with the setup listed in the comment 2

Actions #5

Updated by Riccardo De Contardi about 4 years ago

  • Parent task set to #90674
Actions #6

Updated by Christian Eßl about 4 years ago

  • Category set to Backend API
Actions #7

Updated by Christian Eßl about 4 years ago

Technically it's correct, that the sys_file_reference can't be created, as it is seen as "Content". (For access permissions on a page, TYPO3 only distinguishes between "can edit page" and "can edit any other content".
So I think the bug here is, that the editor is allowed to upload media files here. The buttons for adding file references should be either removed or greyed out in case, the editor is not allowed to edit content on the page.

Actions #8

Updated by Gerrit Code Review about 4 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/63959

Actions #9

Updated by Gerrit Code Review almost 4 years ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/63959

Actions #10

Updated by Gerrit Code Review almost 4 years ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/63959

Actions #11

Updated by Riccardo De Contardi about 12 hours ago

This issue is still reproducible on both 13.2.0-dev with the setup listed in the comment 2; but I got an error snackbar message on the bottom right corner: "Error Undefined"

Actions

Also available in: Atom PDF