Bug #87971

Edit inline page title from default language possible with language restriction set

Added by Felix Herrmann 5 months ago. Updated 3 months ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Backend User Interface
Target version:
-
Start date:
2019-03-20
Due date:
% Done:

100%

TYPO3 Version:
8
PHP Version:
Tags:
Complexity:
easy
Is Regression:
Sprint Focus:

Description

An editor has a language restriction set. The usergroup has no access to page (edit). If double click on page tree the change is blocked. If double click in oage view and "default" selected as language the changes are saved.

This breaks default titles, urls and many other things the editors should not be able to edit.

Tested in 7.6 and 8.7.


Related issues

Related to TYPO3 Core - Bug #88309: Hiding pages in record list always fails Closed 2019-05-08
Related to TYPO3 Core - Bug #88337: Edit pencil visible in page view when no user has no access Under Review 2019-05-13

Associated revisions

Revision 1f5ce464 (diff)
Added by Oliver Hader 3 months ago

[BUGFIX] Show error messages for AJAX editing actions in page/list module

In case error occurred (due to missing permission) when editing content
in page or list module, those messages have not been visualized to users.

Resolves: #87971
Releases: 8.7
Change-Id: I331a1e82bc9282a53a4839947fa9cf4d4248b56c
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60539
Tested-by: TYPO3com <>
Tested-by: Markus Klein <>
Tested-by: Benni Mack <>
Reviewed-by: Markus Klein <>
Reviewed-by: Oliver Klee <>
Reviewed-by: Benni Mack <>

Revision 82429eb0 (diff)
Added by Andreas Fernandez 3 months ago

[BUGFIX] Set `hasErrors` depending on existing errors

The bugfix for #87971 assumes that every requesting hitting
SimpleDataHandlerController without setting `prErr` explicitly is
erroneous. This assuption is not correct per se, thus this patch now
checks DataHandler's error log whether there is really an error.

Resolves: #88309
Related: #87971
Releases: 8.7
Change-Id: I788111b520505cfc7e8950ee09f23ddd783eab5f
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60721
Tested-by: TYPO3com <>
Tested-by: Christoph Lehmann <>
Tested-by: Markus Klein <>
Tested-by: Oliver Hader <>
Reviewed-by: Christoph Lehmann <>
Reviewed-by: Markus Klein <>
Reviewed-by: Oliver Hader <>

History

#1 Updated by Oliver Hader 5 months ago

  • Project changed from TYPO3 Core to Core Security
  • Category deleted (Backend User Interface)

#2 Updated by Oliver Hader 5 months ago

  • Project changed from Core Security to TYPO3 Core
  • Private changed from No to Yes

#3 Updated by Benni Mack 5 months ago

  • Project changed from TYPO3 Core to Core Security

#4 Updated by Benni Mack 4 months ago

  • Private changed from Yes to No

#5 Updated by Benni Mack 4 months ago

  • Assignee set to Benni Mack

#6 Updated by Benni Mack 4 months ago

  • Target version set to Release May 2019

#7 Updated by Oliver Hader 4 months ago

Could not reproduce security aspects here. In TYPO3 v7 I did not find any inline editing in page module (see initial report for TYPO3 v7 and v8). In TYPO3 v8 the error message is just not shown. Thus it looks like that works, but is actually not persisted...

#8 Updated by Oliver Hader 4 months ago

  • Assignee deleted (Benni Mack)

#9 Updated by Oliver Hader 4 months ago

  • Status changed from New to Needs Feedback

#10 Updated by Oliver Hader 4 months ago

Please double check, if not reproducible, it will be put back to public tracker to get SimpleDataHandlerController::processAjaxRequest fixed concerning prErr in order to show error messages...

#11 Updated by Oliver Hader 4 months ago

  • Affected Version set to v7

Okay, I could now reproduce it in TYPO3 v7 (legacy, public branch), but still not in TYPO3 v8...

#13 Updated by Oliver Hader 4 months ago

Fixed with https://typo3.org/security/advisory/typo3-core-sa-2019-003/ for maintained versions at that time. Was fixed in TYPO3 v7 ELTS, see https://typo3.com/products/extended-support for details.

#14 Updated by Oliver Hader 4 months ago

@Felix Herrmann please make sure to update to recent TYPO3 v8 versions. For TYPO3 v7 please refer to my previous comment and the ELTS program of TYPO3 GmbH. Thx

#15 Updated by Oliver Hader 4 months ago

  • Project changed from Core Security to TYPO3 Core
  • Priority changed from Must have to Should have
  • Target version deleted (Release May 2019)

#16 Updated by Gerrit Code Review 4 months ago

  • Status changed from Needs Feedback to Under Review

Patch set 1 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/60539

#17 Updated by Oliver Hader 4 months ago

  • TYPO3 Version changed from 7 to 8

#18 Updated by Oliver Hader 4 months ago

  • Category set to Backend User Interface
  • Complexity set to easy

#19 Updated by Oliver Hader 3 months ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

#20 Updated by Benni Mack 3 months ago

  • Status changed from Resolved to Closed

#21 Updated by Andreas Fernandez 3 months ago

  • Related to Bug #88309: Hiding pages in record list always fails added

#22 Updated by Christoph Lehmann 3 months ago

The change of line 253 to

if ($this->prErr || $this->prErr === null) {

actually breaks drag&drop of content elements with grid elements: https://gitlab.com/coderscare/gridelements/issues/35

 $content['hasErrors']

becomes true and thus the page is not reloaded (typo3conf/ext/gridelements/Resources/Public/JavaScript/GridElementsDragDrop.js:310 @dev_8-7)

#23 Updated by Kai Strecker 3 months ago

Christoph Lehmann wrote:

The change of line 253 to

[...]

actually breaks drag&drop of content elements with grid elements: https://gitlab.com/coderscare/gridelements/issues/35

[...]

becomes true and thus the page is not reloaded (typo3conf/ext/gridelements/Resources/Public/JavaScript/GridElementsDragDrop.js:310 @dev_8-7)

This also affects TYPO3 installations without gridelements installed.

#24 Updated by Riccardo De Contardi 3 months ago

  • Related to Bug #88337: Edit pencil visible in page view when no user has no access added

Also available in: Atom PDF