since v10 displayCond HIDE_FOR_NON_ADMINS ignores these fields in custom DataHandler calls even when bypassAccessCheckForRecords is enabled
The solution for #87100 changed the DataHandler to respect
HIDE_FOR_NON_ADMINS when building the
exclude => true(to hide them for non-admin)
- we give editors edit permission to these fields (so that editor-induced editing works via script-induced DataaHndler calls, for the subset of editors that have the edit rights for these fields)
HIDE_FOR_NON_ADMINSto not show these fields in regular list/edit module, but only make them available in our custom module
Because: we have a custom Backend Module for editors to edit these fields in a controlled distraction-free way.
This does not work on v10 anymore becasue of the now-respected
This is a breaking change that was not documented at all.
When setting explicitly
$dataHandler->bypassAccessCheckForRecords = true; then I expect that the access checks are bypassed completly. The new behaviour adds access restriction that are not "by-passable" by
Important: the setting is called "HIDE for", not "RESTRICT for" and is just a
displayCond (conditional display , not conditonal access )..
The change is this:
The check was added to AbstractItemProvider AND DataHandler. However
HIDE_FOR_NON_ADMINS is onyl a
displayCond, no actualk user/group/database access restriction and thus must be ignored by DataHandler.
I suggest that either thsi gets reverted or that
bypassAccessCheckForRecords gets respected more widely.
To make it more clear:
My fields are
exclude => true but my editors have granted access to the field in their groups.
My editors have no access via
db_mountpoints to the location of the datasets (can't access in page tree), but my custom tree-independent BE module uses
bypassAccessCheckForRecords = true.
In my custom script the editors thus have field-access and location access. But display condition
HIDE_FOR_NON_ADMINS now (as of #87100) acts as a hard access blocker which I can not circumvent in any case (not even with
bypassAccessCheckForRecords = true).
displayCond => HIDE_FOR_NON_ADMINS
- remove the fields from
exclude => false
This makes my custom BE module work again for editors, BUT admins can not see the fields anymore in the regular edit panel (which is a real nuisance)!
A displayCond must not implcitly impose a permission check.