Bug #96215

since v10 displayCond HIDE_FOR_NON_ADMINS ignores these fields in custom DataHandler calls even when bypassAccessCheckForRecords is enabled

Added by Stefan P 6 months ago. Updated 6 months ago.

Status:
New
Priority:
Should have
Assignee:
-
Category:
DataHandler aka TCEmain
Target version:
-
Start date:
2021-12-03
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
10
PHP Version:
Tags:
Complexity:
Is Regression:
Yes
Sprint Focus:

Description

The solution for #87100 changed the DataHandler to respect HIDE_FOR_NON_ADMINS when building the excludedTablesAndFields array.

We have a field that is configured this way:
  • exclude => true (to hide them for non-admin)
  • we give editors edit permission to these fields (so that editor-induced editing works via script-induced DataaHndler calls, for the subset of editors that have the edit rights for these fields)
  • HIDE_FOR_NON_ADMINS to not show these fields in regular list/edit module, but only make them available in our custom module

Because: we have a custom Backend Module for editors to edit these fields in a controlled distraction-free way.

This does not work on v10 anymore becasue of the now-respected HIDE_FOR_NON_ADMINS

This is a breaking change that was not documented at all.

When setting explicitly $dataHandler->bypassAccessCheckForRecords = true; then I expect that the access checks are bypassed completly. The new behaviour adds access restriction that are not "by-passable" by bypassAccessCheckForRecords.

Important: the setting is called "HIDE for", not "RESTRICT for" and is just a displayCond (conditional display , not conditonal access )..


Related issues

Related to TYPO3 Core - Feature #87100: Remove checkbox "Restrict editing for non-Admins" in Allowed excludefields for pages table in be_group Closed2018-12-07

Actions
#1

Updated by Stefan P 6 months ago

The change is this:

https://github.com/TYPO3/typo3/commit/8828edaebff3436577d5c1e88b1a8402a4927e7b

The check was added to AbstractItemProvider AND DataHandler. However HIDE_FOR_NON_ADMINS is onyl a displayCond, no actualk user/group/database access restriction and thus must be ignored by DataHandler.

I suggest that either thsi gets reverted or that bypassAccessCheckForRecords gets respected more widely.

#2

Updated by Stefan P 6 months ago

  • Related to Feature #87100: Remove checkbox "Restrict editing for non-Admins" in Allowed excludefields for pages table in be_group added
#3

Updated by Stefan P 6 months ago

To make it more clear:

My fields are exclude => true but my editors have granted access to the field in their groups.

My editors have no access via db_mountpoints to the location of the datasets (can't access in page tree), but my custom tree-independent BE module uses bypassAccessCheckForRecords = true.

In my custom script the editors thus have field-access and location access. But display condition HIDE_FOR_NON_ADMINS now (as of #87100) acts as a hard access blocker which I can not circumvent in any case (not even with bypassAccessCheckForRecords = true).

I workaround this like this:
  • remove displayCond => HIDE_FOR_NON_ADMINS
  • remove the fields from showitem
  • add exclude => false

This makes my custom BE module work again for editors, BUT admins can not see the fields anymore in the regular edit panel (which is a real nuisance)!

A displayCond must not implcitly impose a permission check.

Also available in: Atom PDF