Bug #96215
open
since v10 displayCond HIDE_FOR_NON_ADMINS ignores these fields in custom DataHandler calls even when bypassAccessCheckForRecords is enabled
Added by S P almost 3 years ago.
Updated 5 months ago.
Category:
DataHandler aka TCEmain
Description
The solution for #87100 changed the DataHandler to respect HIDE_FOR_NON_ADMINS
when building the excludedTablesAndFields
array.
We have a field that is configured this way:
exclude => true
(to hide them for non-admin)
- we give editors edit permission to these fields (so that editor-induced editing works via script-induced DataaHndler calls, for the subset of editors that have the edit rights for these fields)
HIDE_FOR_NON_ADMINS
to not show these fields in regular list/edit module, but only make them available in our custom module
Because: we have a custom Backend Module for editors to edit these fields in a controlled distraction-free way.
This does not work on v10 anymore becasue of the now-respected HIDE_FOR_NON_ADMINS
This is a breaking change that was not documented at all.
When setting explicitly $dataHandler->bypassAccessCheckForRecords = true;
then I expect that the access checks are bypassed completly. The new behaviour adds access restriction that are not "by-passable" by bypassAccessCheckForRecords
.
Important: the setting is called "HIDE for", not "RESTRICT for" and is just a displayCond
(conditional display , not conditonal access )..
The change is this:
https://github.com/TYPO3/typo3/commit/8828edaebff3436577d5c1e88b1a8402a4927e7b
The check was added to AbstractItemProvider AND DataHandler. However HIDE_FOR_NON_ADMINS
is onyl a displayCond
, no actualk user/group/database access restriction and thus must be ignored by DataHandler.
I suggest that either thsi gets reverted or that bypassAccessCheckForRecords
gets respected more widely.
- Related to Feature #87100: Remove checkbox "Restrict editing for non-Admins" in Allowed excludefields for pages table in be_group added
To make it more clear:
My fields are exclude => true
but my editors have granted access to the field in their groups.
My editors have no access via db_mountpoints
to the location of the datasets (can't access in page tree), but my custom tree-independent BE module uses bypassAccessCheckForRecords = true
.
In my custom script the editors thus have field-access and location access. But display condition HIDE_FOR_NON_ADMINS
now (as of #87100) acts as a hard access blocker which I can not circumvent in any case (not even with bypassAccessCheckForRecords = true
).
I workaround this like this:
- remove
displayCond => HIDE_FOR_NON_ADMINS
- remove the fields from
showitem
- add
exclude => false
This makes my custom BE module work again for editors, BUT admins can not see the fields anymore in the regular edit panel (which is a real nuisance)!
A displayCond must not implcitly impose a permission check.
see also #93276 where field values are not duplicated for editors. not sure how to handle that currently
- Related to Bug #93276: pagetsconfig not transferred to translation target added
Also available in: Atom
PDF