Bug #87971
closed
Edit inline page title from default language possible with language restriction set
100%
Description
An editor has a language restriction set. The usergroup has no access to page (edit). If double click on page tree the change is blocked. If double click in oage view and "default" selected as language the changes are saved.
This breaks default titles, urls and many other things the editors should not be able to edit.
Tested in 7.6 and 8.7.
Updated by Oliver Hader over 5 years ago
- Project changed from TYPO3 Core to 1716
- Category deleted (
Backend User Interface)
Updated by Oliver Hader over 5 years ago
- Project changed from 1716 to TYPO3 Core
- Private changed from No to Yes
Updated by
Updated by Oliver Hader over 5 years ago
Could not reproduce security aspects here. In TYPO3 v7 I did not find any inline editing in page module (see initial report for TYPO3 v7 and v8). In TYPO3 v8 the error message is just not shown. Thus it looks like that works, but is actually not persisted...
Updated by Oliver Hader over 5 years ago
- Status changed from New to Needs Feedback
Updated by Oliver Hader over 5 years ago
Please double check, if not reproducible, it will be put back to public tracker to get SimpleDataHandlerController::processAjaxRequest fixed concerning prErr in order to show error messages...
Updated by Oliver Hader over 5 years ago
- Affected Version set to v7
Okay, I could now reproduce it in TYPO3 v7 (legacy, public branch), but still not in TYPO3 v8...
Updated by Oliver Hader over 5 years ago
Fixed with https://typo3.org/security/advisory/typo3-core-sa-2019-003/ for maintained versions at that time. Was fixed in TYPO3 v7 ELTS, see https://typo3.com/products/extended-support for details.
Updated by Oliver Hader over 5 years ago
@Felix Herrmann please make sure to update to recent TYPO3 v8 versions. For TYPO3 v7 please refer to my previous comment and the ELTS program of TYPO3 GmbH. Thx
Updated by Oliver Hader over 5 years ago
- Project changed from 1716 to TYPO3 Core
- Priority changed from Must have to Should have
- Target version deleted (
Release May 2019)
Updated by Gerrit Code Review over 5 years ago
- Status changed from Needs Feedback to Under Review
Patch set 1 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/60539
Updated by Oliver Hader over 5 years ago
- Category set to Backend User Interface
- Complexity set to easy
Updated by Oliver Hader over 5 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 1f5ce464c6215f755d5d798b0021d1ebf36526e7.
Updated by Andreas Kienast over 5 years ago
- Related to Bug #88309: Hiding pages in record list always fails added
Updated by Christoph Lehmann over 5 years ago
The change of line 253 to
if ($this->prErr || $this->prErr === null) {
actually breaks drag&drop of content elements with grid elements: https://gitlab.com/coderscare/gridelements/issues/35
$content['hasErrors']
becomes true and thus the page is not reloaded (typo3conf/ext/gridelements/Resources/Public/JavaScript/GridElementsDragDrop.js:310 @dev_8-7)
Updated by Kai Strecker over 5 years ago
Christoph Lehmann wrote:
The change of line 253 to
[...]
actually breaks drag&drop of content elements with grid elements: https://gitlab.com/coderscare/gridelements/issues/35
[...]
becomes true and thus the page is not reloaded (typo3conf/ext/gridelements/Resources/Public/JavaScript/GridElementsDragDrop.js:310 @dev_8-7)
This also affects TYPO3 installations without gridelements installed.
Updated by Riccardo De Contardi over 5 years ago
- Related to Bug #88337: Edit pencil visible in page view when no user has no access added