Project

General

Profile

Actions

Bug #87971

closed

Edit inline page title from default language possible with language restriction set

Added by Felix Herrmann about 5 years ago. Updated almost 5 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Backend User Interface
Target version:
-
Start date:
2019-03-20
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
8
PHP Version:
Tags:
Complexity:
easy
Is Regression:
Sprint Focus:

Description

An editor has a language restriction set. The usergroup has no access to page (edit). If double click on page tree the change is blocked. If double click in oage view and "default" selected as language the changes are saved.

This breaks default titles, urls and many other things the editors should not be able to edit.

Tested in 7.6 and 8.7.


Related issues 2 (0 open2 closed)

Related to TYPO3 Core - Bug #88309: Hiding pages in record list always failsClosedAndreas Kienast2019-05-08

Actions
Related to TYPO3 Core - Bug #88337: Edit pencil visible in page view when no user has no accessClosed2019-05-13

Actions
Actions #1

Updated by Oliver Hader about 5 years ago

  • Project changed from TYPO3 Core to 1716
  • Category deleted (Backend User Interface)
Actions #2

Updated by Oliver Hader about 5 years ago

  • Project changed from 1716 to TYPO3 Core
  • Private changed from No to Yes
Actions #3

Updated by Benni Mack about 5 years ago

  • Project changed from TYPO3 Core to 1716
Actions #4

Updated by Benni Mack almost 5 years ago

  • Private changed from Yes to No
Actions #5

Updated by Benni Mack almost 5 years ago

  • Assignee set to Benni Mack
Actions #6

Updated by Benni Mack almost 5 years ago

  • Target version set to Release May 2019
Actions #7

Updated by Oliver Hader almost 5 years ago

Could not reproduce security aspects here. In TYPO3 v7 I did not find any inline editing in page module (see initial report for TYPO3 v7 and v8). In TYPO3 v8 the error message is just not shown. Thus it looks like that works, but is actually not persisted...

Actions #8

Updated by Oliver Hader almost 5 years ago

  • Assignee deleted (Benni Mack)
Actions #9

Updated by Oliver Hader almost 5 years ago

  • Status changed from New to Needs Feedback
Actions #10

Updated by Oliver Hader almost 5 years ago

Please double check, if not reproducible, it will be put back to public tracker to get SimpleDataHandlerController::processAjaxRequest fixed concerning prErr in order to show error messages...

Actions #11

Updated by Oliver Hader almost 5 years ago

  • Affected Version set to v7

Okay, I could now reproduce it in TYPO3 v7 (legacy, public branch), but still not in TYPO3 v8...

Actions #13

Updated by Oliver Hader almost 5 years ago

Fixed with https://typo3.org/security/advisory/typo3-core-sa-2019-003/ for maintained versions at that time. Was fixed in TYPO3 v7 ELTS, see https://typo3.com/products/extended-support for details.

Actions #14

Updated by Oliver Hader almost 5 years ago

@Felix Herrmann please make sure to update to recent TYPO3 v8 versions. For TYPO3 v7 please refer to my previous comment and the ELTS program of TYPO3 GmbH. Thx

Actions #15

Updated by Oliver Hader almost 5 years ago

  • Project changed from 1716 to TYPO3 Core
  • Priority changed from Must have to Should have
  • Target version deleted (Release May 2019)
Actions #16

Updated by Gerrit Code Review almost 5 years ago

  • Status changed from Needs Feedback to Under Review

Patch set 1 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/60539

Actions #17

Updated by Oliver Hader almost 5 years ago

  • TYPO3 Version changed from 7 to 8
Actions #18

Updated by Oliver Hader almost 5 years ago

  • Category set to Backend User Interface
  • Complexity set to easy
Actions #19

Updated by Oliver Hader almost 5 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
Actions #20

Updated by Benni Mack almost 5 years ago

  • Status changed from Resolved to Closed
Actions #21

Updated by Andreas Kienast almost 5 years ago

  • Related to Bug #88309: Hiding pages in record list always fails added
Actions #22

Updated by Christoph Lehmann almost 5 years ago

The change of line 253 to

if ($this->prErr || $this->prErr === null) {

actually breaks drag&drop of content elements with grid elements: https://gitlab.com/coderscare/gridelements/issues/35

 $content['hasErrors']

becomes true and thus the page is not reloaded (typo3conf/ext/gridelements/Resources/Public/JavaScript/GridElementsDragDrop.js:310 @dev_8-7)

Actions #23

Updated by Kai Strecker almost 5 years ago

Christoph Lehmann wrote:

The change of line 253 to

[...]

actually breaks drag&drop of content elements with grid elements: https://gitlab.com/coderscare/gridelements/issues/35

[...]

becomes true and thus the page is not reloaded (typo3conf/ext/gridelements/Resources/Public/JavaScript/GridElementsDragDrop.js:310 @dev_8-7)

This also affects TYPO3 installations without gridelements installed.

Actions #24

Updated by Riccardo De Contardi almost 5 years ago

  • Related to Bug #88337: Edit pencil visible in page view when no user has no access added
Actions

Also available in: Atom PDF