Project

General

Profile

Actions

Bug #90878

closed

Editors with no page delete permissions can't delete content elements

Added by Christian Eßl over 4 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Must have
Assignee:
-
Category:
DataHandler aka TCEmain
Target version:
Start date:
2020-03-29
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
10
PHP Version:
Tags:
Complexity:
Is Regression:
Yes
Sprint Focus:

Description

Create an editor, that:
  • can edit any content
  • can't delete pages
Now go to either page or list module and try to delete a content element:
  • The page will reload.
  • The content is still there.

Cause of the problem appears to be this cleanup commit:
https://review.typo3.org/c/Packages/TYPO3.CMS/+/62763

This check:

if (!$noRecordCheck && !$this->doesRecordExist($table, $uid,'delete')) {

changed to:

if (!$noRecordCheck && !$this->doesRecordExist($table, $uid, Permission::PAGE_DELETE)) {

The cleanup commit message states, that 'delete' only stands for "delete page". But if you look at the content of the function DataHandler::recordInfoWithPermissionCheck() you can see, that the $perm 'delete' will automatically be converted to 'edit' or 'editcontent', if the tables is not 'pages'. (Yeah, this permissis stuff in here is pretty convoluted and dumb, but we are talking about DataHandler here)

So the changes made in the mentioned line above now always check for the page delete permissions and fail to fall back to the content element edit permissions, as it was previously done.


Related issues 2 (0 open2 closed)

Related to TYPO3 Core - Task #90019: Clean up Page Permission handling in DataHandlerClosedBenni Mack2019-12-27

Actions
Related to TYPO3 Core - Bug #91060: Non-admin Backend users cannot delete recordsClosed2020-04-16

Actions
Actions #1

Updated by Gerrit Code Review over 4 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/63999

Actions #2

Updated by Christian Eßl over 4 years ago

  • Related to Task #90019: Clean up Page Permission handling in DataHandler added
Actions #3

Updated by Gerrit Code Review over 4 years ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/63999

Actions #4

Updated by Gerrit Code Review over 4 years ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/63999

Actions #5

Updated by Christian Eßl over 4 years ago

  • Priority changed from Should have to Must have
  • Target version set to 10 LTS
Actions #6

Updated by Christian Eßl over 4 years ago

  • Related to Bug #91060: Non-admin Backend users cannot delete records added
Actions #7

Updated by Christian Eßl over 4 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
Actions #8

Updated by Benni Mack over 4 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF