[BUGFIX] Add permission checks to edit icons in filelist and context menu 01/32901/2
authorFranz Koch <typo3@elements-net.de>
Wed, 27 Aug 2014 20:39:10 +0000 (22:39 +0200)
committerStefan Neufeind <typo3.neufeind@speedpartner.de>
Sun, 21 Sep 2014 15:38:49 +0000 (17:38 +0200)
In filelist as well as in context menus the edit/info/cut/copy/paste
icons are always shown and not disabled/removed if related FAL object
doesn't allow these actions. These changes fix this.

Resolves: #61261
Releases: 6.2, 6.3
Change-Id: I318a1112e9ee3c2fda4db219364663c89161320c
Reviewed-on: http://review.typo3.org/32901
Reviewed-by: Stefan Neufeind <typo3.neufeind@speedpartner.de>
Tested-by: Stefan Neufeind <typo3.neufeind@speedpartner.de>
typo3/sysext/backend/Classes/ClickMenu/ClickMenu.php
typo3/sysext/filelist/Classes/FileList.php

index 30448a3..4daf4ca 100644 (file)
@@ -755,31 +755,31 @@ class ClickMenu {
                                );
                        }
                        // Edit
-                       if (!in_array('edit', $this->disabledItems)) {
-                               if (!$folder && !$isStorageRoot) {
+                       if (!in_array('edit', $this->disabledItems) && $fileObject->checkActionPermission('write')) {
+                               if (!$folder && !$isStorageRoot && $fileObject->isIndexed()) {
                                        $metaData = $fileObject->_getMetaData();
                                        $menuItems['edit2'] = $this->DB_edit('sys_file_metadata', $metaData['uid']);
                                }
-                               if (!$folder && GeneralUtility::inList($GLOBALS['TYPO3_CONF_VARS']['SYS']['textfile_ext'], $fileObject->getExtension())) {
+                               if (!$folder && GeneralUtility::inList($GLOBALS['TYPO3_CONF_VARS']['SYS']['textfile_ext'], $fileObject->getExtension()) && $fileObject->checkActionPermission('write')) {
                                        $menuItems['edit'] = $this->FILE_launch($identifier, 'file_edit.php', 'editcontent', 'edit_file.gif');
                                } elseif ($isStorageRoot && $userMayEditStorage) {
                                        $menuItems['edit'] = $this->DB_edit('sys_file_storage', $fileObject->getStorage()->getUid());
                                }
                        }
                        // Rename
-                       if (!in_array('rename', $this->disabledItems) && !$isStorageRoot) {
+                       if (!in_array('rename', $this->disabledItems) && !$isStorageRoot && $fileObject->checkActionPermission('rename')) {
                                $menuItems['rename'] = $this->FILE_launch($identifier, 'file_rename.php', 'rename', 'rename.gif');
                        }
                        // Upload
-                       if (!in_array('upload', $this->disabledItems) && $folder && $isOnline) {
+                       if (!in_array('upload', $this->disabledItems) && $folder && $isOnline && $fileObject->checkActionPermission('write')) {
                                $menuItems['upload'] = $this->FILE_upload($identifier);
                        }
                        // New
-                       if (!in_array('new', $this->disabledItems) && $folder && $isOnline) {
+                       if (!in_array('new', $this->disabledItems) && $folder && $isOnline && $fileObject->checkActionPermission('write')) {
                                $menuItems['new'] = $this->FILE_launch($identifier, 'file_newfolder.php', 'new', 'new_file.gif');
                        }
                        // Info
-                       if (!in_array('info', $this->disabledItems)) {
+                       if (!in_array('info', $this->disabledItems) && $fileObject->checkActionPermission('read')) {
                                if ($isStorageRoot && $userMayViewStorage) {
                                        $menuItems['info'] = $this->DB_info('sys_file_storage', $fileObject->getStorage()->getUid());
                                } elseif (!$folder) {
@@ -788,16 +788,16 @@ class ClickMenu {
                        }
                        $menuItems[] = 'spacer';
                        // Copy:
-                       if (!in_array('copy', $this->disabledItems) && !$isStorageRoot) {
+                       if (!in_array('copy', $this->disabledItems) && !$isStorageRoot && $fileObject->checkActionPermission('read')) {
                                $menuItems['copy'] = $this->FILE_copycut($identifier, 'copy');
                        }
                        // Cut:
-                       if (!in_array('cut', $this->disabledItems) && !$isStorageRoot) {
+                       if (!in_array('cut', $this->disabledItems) && !$isStorageRoot && $fileObject->checkActionPermission('move')) {
                                $menuItems['cut'] = $this->FILE_copycut($identifier, 'cut');
                        }
                        // Paste:
                        $elFromAllTables = count($this->clipObj->elFromTable('_FILE'));
-                       if (!in_array('paste', $this->disabledItems) && $elFromAllTables && $folder) {
+                       if (!in_array('paste', $this->disabledItems) && $elFromAllTables && $folder && $fileObject->checkActionPermission('write')) {
                                $elArr = $this->clipObj->elFromTable('_FILE');
                                $selItem = reset($elArr);
                                $elInfo = array(
@@ -809,7 +809,7 @@ class ClickMenu {
                        }
                        $menuItems[] = 'spacer';
                        // Delete:
-                       if (!in_array('delete', $this->disabledItems)) {
+                       if (!in_array('delete', $this->disabledItems) && $fileObject->checkActionPermission('delete')) {
                                if ($isStorageRoot && $userMayEditStorage) {
                                        $elInfo = array(GeneralUtility::fixed_lgd_cs($fileObject->getStorage()->getName(), $GLOBALS['BE_USER']->uc['titleLen']));
                                        $menuItems['delete'] = $this->DB_delete('sys_file_storage', $fileObject->getStorage()->getUid(), $elInfo);
index f5f66ae..7b6530f 100644 (file)
@@ -226,7 +226,7 @@ class FileList extends \TYPO3\CMS\Backend\RecordList\AbstractRecordList {
                                $otherMarkers['PAGE_ICON'] = $GLOBALS['SOBE']->doc->wrapClickMenuOnIcon($otherMarkers['PAGE_ICON'], $folderObject->getCombinedIdentifier());
                        }
                        // Add paste button if clipboard is initialized
-                       if ($this->clipObj instanceof \TYPO3\CMS\Backend\Clipboard\Clipboard) {
+                       if ($this->clipObj instanceof \TYPO3\CMS\Backend\Clipboard\Clipboard && $folderObject->checkActionPermission('write')) {
                                $elFromTable = $this->clipObj->elFromTable('_FILE');
                                if (count($elFromTable)) {
                                        $buttons['PASTE'] = '<a href="' . htmlspecialchars($this->clipObj->pasteUrl('_FILE', $this->folderObject->getCombinedIdentifier())) . '" onclick="return ' . htmlspecialchars($this->clipObj->confirmMsg('_FILE', $this->path, 'into', $elFromTable)) . '" title="' . $GLOBALS['LANG']->getLL('clip_paste', TRUE) . '">' . IconUtility::getSpriteIcon('actions-document-paste-after') . '</a>';
@@ -344,7 +344,7 @@ class FileList extends \TYPO3\CMS\Backend\RecordList\AbstractRecordList {
                                        $cells = array();
                                        $table = '_FILE';
                                        $elFromTable = $this->clipObj->elFromTable($table);
-                                       if (count($elFromTable)) {
+                                       if (count($elFromTable) && $this->folderObject->checkActionPermission('write')) {
                                                $cells[] = '<a href="' . htmlspecialchars($this->clipObj->pasteUrl('_FILE', $this->folderObject->getCombinedIdentifier())) . '" onclick="return ' . htmlspecialchars($this->clipObj->confirmMsg('_FILE', $this->path, 'into', $elFromTable)) . '" title="' . $GLOBALS['LANG']->getLL('clip_paste', 1) . '">' . IconUtility::getSpriteIcon('actions-document-paste-after') . '</a>';
                                        }
                                        if ($this->clipObj->current != 'normal' && $iOut) {
@@ -629,7 +629,7 @@ class FileList extends \TYPO3\CMS\Backend\RecordList\AbstractRecordList {
                                                        $theData[$field] = strtoupper($ext);
                                                        break;
                                                case 'tstamp':
-                                                       $theData[$field] = BackendUtility::date($fileObject->getProperty('modification_date'));
+                                                       $theData[$field] = BackendUtility::date($fileObject->getModificationTime());
                                                        break;
                                                case '_CLIPBOARD_':
                                                        $temp = '';
@@ -661,7 +661,7 @@ class FileList extends \TYPO3\CMS\Backend\RecordList\AbstractRecordList {
                                                                }
                                                        }
 
-                                                       if (!empty($systemLanguages)) {
+                                                       if (!empty($systemLanguages) && $fileObject->isIndexed() && $fileObject->checkActionPermission('write')) {
                                                                $metaDataRecord = $fileObject->_getMetaData();
                                                                $translations = $this->getTranslationsForMetaData($metaDataRecord);
                                                                $languageCode = '';
@@ -771,6 +771,9 @@ class FileList extends \TYPO3\CMS\Backend\RecordList\AbstractRecordList {
         * @todo Define visibility
         */
        public function makeClip($fileOrFolderObject) {
+               if (!$fileOrFolderObject->checkActionPermission('read')) {
+                       return '';
+               }
                $cells = array();
                $fullIdentifier = $fileOrFolderObject->getCombinedIdentifier();
                $md5 = GeneralUtility::shortmd5($fullIdentifier);
@@ -778,7 +781,12 @@ class FileList extends \TYPO3\CMS\Backend\RecordList\AbstractRecordList {
                if ($this->clipObj->current == 'normal') {
                        $isSel = $this->clipObj->isSelected('_FILE', $md5);
                        $cells[] = '<a href="' . htmlspecialchars($this->clipObj->selUrlFile($fullIdentifier, 1, ($isSel == 'copy'))) . '">' . IconUtility::getSpriteIcon(('actions-edit-copy' . ($isSel == 'copy' ? '-release' : '')), array('title' => $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xlf:cm.copy', TRUE))) . '</a>';
-                       $cells[] = '<a href="' . htmlspecialchars($this->clipObj->selUrlFile($fullIdentifier, 0, ($isSel == 'cut'))) . '">' . IconUtility::getSpriteIcon(('actions-edit-cut' . ($isSel == 'cut' ? '-release' : '')), array('title' => $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xlf:cm.cut', TRUE))) . '</a>';
+                       // we can only cut if file can be moved
+                       if ($fileOrFolderObject->checkActionPermission('move')) {
+                               $cells[] = '<a href="' . htmlspecialchars($this->clipObj->selUrlFile($fullIdentifier, 0, ($isSel == 'cut'))) . '">' . IconUtility::getSpriteIcon(('actions-edit-cut' . ($isSel == 'cut' ? '-release' : '')), array('title' => $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xlf:cm.cut', TRUE))) . '</a>';
+                       } else {
+                               $cells[] = IconUtility::getSpriteIcon('empty-empty');
+                       }
                } else {
                        // For numeric pads, add select checkboxes:
                        $n = '_FILE|' . $md5;
@@ -788,7 +796,7 @@ class FileList extends \TYPO3\CMS\Backend\RecordList\AbstractRecordList {
                }
                // Display PASTE button, if directory:
                $elFromTable = $this->clipObj->elFromTable('_FILE');
-               if (is_a($fileOrFolderObject, 'TYPO3\\CMS\\Core\\Resource\\Folder') && count($elFromTable)) {
+               if (is_a($fileOrFolderObject, 'TYPO3\\CMS\\Core\\Resource\\Folder') && count($elFromTable) && $fileOrFolderObject->checkActionPermission('write')) {
                        $cells[] = '<a href="' . htmlspecialchars($this->clipObj->pasteUrl('_FILE', $fullIdentifier)) . '" onclick="return ' . htmlspecialchars($this->clipObj->confirmMsg('_FILE', $fullIdentifier, 'into', $elFromTable)) . '" title="' . $GLOBALS['LANG']->getLL('clip_pasteInto', TRUE) . '">' . IconUtility::getSpriteIcon('actions-document-paste-into') . '</a>';
                }
                // Compile items into a DIV-element: