Bug #85099

Epic #90674: Backend UI not reflecting permissions

Attempt to delete without permission - error message shows up, but action works

Added by Ralf Merz over 2 years ago. Updated 9 months ago.

Status:
On Hold
Priority:
Must have
Assignee:
-
Category:
Pagetree
Target version:
-
Start date:
2018-05-28
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
8
PHP Version:
7.0
Tags:
#30229
Complexity:
Is Regression:
Sprint Focus:

Description

Hi,

I have to notice that issue #30229 still not solved completely.
https://forge.typo3.org/issues/30229

If an editor (non-admin) deletes a page in the page tree (e.g. via context menu), AND that page as at least 1 translation (alternative page language) and a translated element on it (see attachment), then the red flashMessage "1: Attempt to delete record without delete-permissions" (see attachment).
I have checked the "Access" Module: What we have set is a "770" for the pages (see attachment).
It does not matter if the editor has created the page (and translation) or an admin did that.

The reloaded page tree then shows that the page has been deleted anyways. But because of the error message, the editor thinks his action went wrong.

TYPO3 8.7.15

As mentioned in issue #30229 I must reopen this bug with this issue.

Thank you for taking care and regards
Ralf - merzilla


Files

Bildschirmfoto 2018-05-28 um 16.31.15.png (8.94 KB) Bildschirmfoto 2018-05-28 um 16.31.15.png Error Message Ralf Merz, 2018-05-28 16:38
Bildschirmfoto 2018-05-28 um 16.30.48.png (51.5 KB) Bildschirmfoto 2018-05-28 um 16.30.48.png Translated page Ralf Merz, 2018-05-28 16:38
Bildschirmfoto 2018-05-28 um 16.34.03.png (15.6 KB) Bildschirmfoto 2018-05-28 um 16.34.03.png Access Rights Ralf Merz, 2018-05-28 16:38

Related issues

Related to TYPO3 Core - Bug #30229: Error when deleting a Page with translationClosed2011-09-23

Actions
#1

Updated by Ralf Merz over 2 years ago

  • Related to Bug #30229: Error when deleting a Page with translation added
#2

Updated by Riccardo De Contardi over 2 years ago

  • Category set to Pagetree
#3

Updated by ondro no-lastname-given over 2 years ago

Can confirm, same behaviour with Typo3 v8.7.11

#4

Updated by Susanne Moog about 2 years ago

  • Sprint Focus set to On Location Sprint
#5

Updated by Nicolai Schirawski about 2 years ago

I can confirm the bug for TYPO3 8.7.20-dev

In TYPO3 9.5.1-dev the editor gets warned about the pending deletions before action is taken. After that, no error message is shown - but: The page tree doesn't reload.

#6

Updated by Gerrit Code Review about 2 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/58728

#7

Updated by Gerrit Code Review about 2 years ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/58728

#8

Updated by Jan Helke almost 2 years ago

We should first clarify the intended behaviour before doing anything. The issue here and the commit message indicates, that the indention is to remove the error message and let the editor do, what she want. In my opinion, a user, who ist not allowed to do a specific action should never be able to perform this action.

So:

The User is allowed to edit pages and all affected languages -> The user can delete any translation or the default language page with all translations at once.
The User is allowed to edit only some languages -> The user is able to delete only the translations, he is permitted for. Any attempt to delete the default language page should be denied with a clear error message (e.g. "You can't delete this page, because you are not allowed to affect any content in Language 1, Language 2 and Language 3")

#9

Updated by Gerrit Code Review almost 2 years ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/58728

#10

Updated by Stefanos Karasavvidis almost 2 years ago

As Jan already explains, the initial conditions (what access permissions should the user have to the page and to the content elements in it?) and the end result (user can delete the page and content having only delete permission on the page?) should be clarified.

In the initial bug report #30229 that the current ticket is based on, the user is the owner of the page. Is this still the case here?

#11

Updated by Dominik Kempf over 1 year ago

Is there any news about this? I can confirm this behaviour in Typo3 8.7.24.

Same scenario as mentioned before, admin user does not get that error message. When a non-admin user deletes the page, he gets the error message 8x Times, depending on how many content elements are present on the page. If he deletes all the content elements the error message is not shown.

In both cases the page is still deleted.

This is a problem in our production site and the customer gets kind of unsecure with all that error messages.

#12

Updated by Daniel Goerz about 1 year ago

  • Status changed from Under Review to On Hold

Putting the issue on hold for now as the intended behaviour is unclear at this point. The patch may later be reopened after clarification.

#13

Updated by Susanne Moog 11 months ago

  • Sprint Focus deleted (On Location Sprint)
#14

Updated by Riccardo De Contardi 9 months ago

  • Parent task set to #90674

Also available in: Atom PDF