Bug #85099
open
Epic #90674: Backend UI not reflecting permissions
Attempt to delete without permission - error message shows up, but action works
Added by Ralf Merz over 6 years ago.
Updated over 4 years ago.
Description
Hi,
I have to notice that issue #30229 still not solved completely.
https://forge.typo3.org/issues/30229
If an editor (non-admin) deletes a page in the page tree (e.g. via context menu), AND that page as at least 1 translation (alternative page language) and a translated element on it (see attachment), then the red flashMessage "1: Attempt to delete record without delete-permissions" (see attachment).
I have checked the "Access" Module: What we have set is a "770" for the pages (see attachment).
It does not matter if the editor has created the page (and translation) or an admin did that.
The reloaded page tree then shows that the page has been deleted anyways. But because of the error message, the editor thinks his action went wrong.
TYPO3 8.7.15
As mentioned in issue #30229 I must reopen this bug with this issue.
Thank you for taking care and regards
Ralf - merzilla
Files
- Related to Bug #30229: Error when deleting a Page with translation added
Can confirm, same behaviour with Typo3 v8.7.11
- Sprint Focus set to On Location Sprint
I can confirm the bug for TYPO3 8.7.20-dev
In TYPO3 9.5.1-dev the editor gets warned about the pending deletions before action is taken. After that, no error message is shown - but: The page tree doesn't reload.
- Status changed from New to Under Review
We should first clarify the intended behaviour before doing anything. The issue here and the commit message indicates, that the indention is to remove the error message and let the editor do, what she want. In my opinion, a user, who ist not allowed to do a specific action should never be able to perform this action.
So:
The User is allowed to edit pages and all affected languages -> The user can delete any translation or the default language page with all translations at once.
The User is allowed to edit only some languages -> The user is able to delete only the translations, he is permitted for. Any attempt to delete the default language page should be denied with a clear error message (e.g. "You can't delete this page, because you are not allowed to affect any content in Language 1, Language 2 and Language 3")
As Jan already explains, the initial conditions (what access permissions should the user have to the page and to the content elements in it?) and the end result (user can delete the page and content having only delete permission on the page?) should be clarified.
In the initial bug report #30229 that the current ticket is based on, the user is the owner of the page. Is this still the case here?
Is there any news about this? I can confirm this behaviour in Typo3 8.7.24.
Same scenario as mentioned before, admin user does not get that error message. When a non-admin user deletes the page, he gets the error message 8x Times, depending on how many content elements are present on the page. If he deletes all the content elements the error message is not shown.
In both cases the page is still deleted.
This is a problem in our production site and the customer gets kind of unsecure with all that error messages.
- Status changed from Under Review to On Hold
Putting the issue on hold for now as the intended behaviour is unclear at this point. The patch may later be reopened after clarification.
- Sprint Focus deleted (
On Location Sprint)
- Parent task set to #90674
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
