Project

General

Profile

Actions

Bug #90878

closed

Editors with no page delete permissions can't delete content elements

Added by Christian Eßl over 4 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Must have
Assignee:
-
Category:
DataHandler aka TCEmain
Target version:
Start date:
2020-03-29
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
10
PHP Version:
Tags:
Complexity:
Is Regression:
Yes
Sprint Focus:

Description

Create an editor, that:
  • can edit any content
  • can't delete pages
Now go to either page or list module and try to delete a content element:
  • The page will reload.
  • The content is still there.

Cause of the problem appears to be this cleanup commit:
https://review.typo3.org/c/Packages/TYPO3.CMS/+/62763

This check:

if (!$noRecordCheck && !$this->doesRecordExist($table, $uid,'delete')) {

changed to:

if (!$noRecordCheck && !$this->doesRecordExist($table, $uid, Permission::PAGE_DELETE)) {

The cleanup commit message states, that 'delete' only stands for "delete page". But if you look at the content of the function DataHandler::recordInfoWithPermissionCheck() you can see, that the $perm 'delete' will automatically be converted to 'edit' or 'editcontent', if the tables is not 'pages'. (Yeah, this permissis stuff in here is pretty convoluted and dumb, but we are talking about DataHandler here)

So the changes made in the mentioned line above now always check for the page delete permissions and fail to fall back to the content element edit permissions, as it was previously done.


Related issues 2 (0 open2 closed)

Related to TYPO3 Core - Task #90019: Clean up Page Permission handling in DataHandlerClosedBenni Mack2019-12-27

Actions
Related to TYPO3 Core - Bug #91060: Non-admin Backend users cannot delete recordsClosed2020-04-16

Actions
Actions

Also available in: Atom PDF