Epic #90674: Backend UI not reflecting permissions
Attempt to delete without permission - error message shows up, but action works
If an editor (non-admin) deletes a page in the page tree (e.g. via context menu), AND that page as at least 1 translation (alternative page language) and a translated element on it (see attachment), then the red flashMessage "1: Attempt to delete record without delete-permissions" (see attachment).
I have checked the "Access" Module: What we have set is a "770" for the pages (see attachment).
It does not matter if the editor has created the page (and translation) or an admin did that.
The reloaded page tree then shows that the page has been deleted anyways. But because of the error message, the editor thinks his action went wrong.
As mentioned in issue #30229 I must reopen this bug with this issue.
Thank you for taking care and regards
Ralf - merzilla
Updated by Jan Helke almost 3 years ago
We should first clarify the intended behaviour before doing anything. The issue here and the commit message indicates, that the indention is to remove the error message and let the editor do, what she want. In my opinion, a user, who ist not allowed to do a specific action should never be able to perform this action.
The User is allowed to edit pages and all affected languages -> The user can delete any translation or the default language page with all translations at once.
The User is allowed to edit only some languages -> The user is able to delete only the translations, he is permitted for. Any attempt to delete the default language page should be denied with a clear error message (e.g. "You can't delete this page, because you are not allowed to affect any content in Language 1, Language 2 and Language 3")
Updated by Stefanos Karasavvidis almost 3 years ago
As Jan already explains, the initial conditions (what access permissions should the user have to the page and to the content elements in it?) and the end result (user can delete the page and content having only delete permission on the page?) should be clarified.
In the initial bug report #30229 that the current ticket is based on, the user is the owner of the page. Is this still the case here?
Updated by Dominik Kempf over 2 years ago
Is there any news about this? I can confirm this behaviour in Typo3 8.7.24.
Same scenario as mentioned before, admin user does not get that error message. When a non-admin user deletes the page, he gets the error message 8x Times, depending on how many content elements are present on the page. If he deletes all the content elements the error message is not shown.
In both cases the page is still deleted.
This is a problem in our production site and the customer gets kind of unsecure with all that error messages.