Bug #90178
openEpic #90674: Backend UI not reflecting permissions
Page edit button in page module is not using BackendUserAuthentication::recordEditAccessInternals() for checking access permissions
0%
Description
Both in page and list module, permissions if a record is editable (and a button should be shown) are handled in BackendUserAuthentication::recordEditAccessInternals().
This function has a convenient hook, that makes it possible to apply your own access restrictions on some records.
However there appears to be one place in the page module, where this function is NOT used to check for record access:
*The page edit button.
The permissions for this button are internally checked in PageLayoutView::getTable_tt_content().
I added a screenshot to make it clear which button is meant.
For consistency, this button should use BackendUserAuthentication::recordEditAccessInternals(). as well as is done for all other places, where access permissions are checked.
Files
Updated by Georg Ringer over 4 years ago
- Related to Bug #89240: "Edit page properties" icon is displayed, even if page editing is not allowed for user added
Updated by Garvin Hicking 6 days ago
- File Screenshot 2024-07-12 at 12.06.30.png Screenshot 2024-07-12 at 12.06.30.png added
- File Screenshot 2024-07-12 at 12.07.00.png Screenshot 2024-07-12 at 12.07.00.png added
For TYPO3v13, I've checked two places of this:
For language columns
- typo3/sysext/backend/Resources/Private/Partials/PageLayout/LanguageColumns.html
at Line 32, referencing Edit button via condition on "{allowEditContent}".
- set via typo3/sysext/backend/Classes/View/Drawing/BackendLayoutRenderer.php
, $backendUser->check('tables_modify', 'tt_content')
- Screenshot: !Screenshot 2024-07-12 at 12.06.30.png!
Without language columns:
- typo3/sysext/backend/Resources/Private/Partials/PageLayout/Grid/ColumnHeader.html
at line 5, referencing Edit button via condition on "{allowEditContent}".
- also set via BackendLayoutRenderer
as above
- Screenshot: !Screenshot 2024-07-12 at 12.07.00.png!
The check()
method of typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php
has a very general check in place:
return isset($this->groupData[$type]) && ($this->isAdmin() || GeneralUtility::inList($this->groupData[$type], (string)$value));
I guess one could replace the check in BackendLayoutRenderer to operate with recordEditAccessInternals
instead (or maybe even on top of it).