[BUGFIX] Hide edit icon in list view 18/50218/2
authorNicole Cordes <typo3@cordes.co>
Sat, 16 Jul 2016 16:00:00 +0000 (18:00 +0200)
committerFrank Naegler <frank.naegler@typo3.org>
Thu, 13 Oct 2016 15:22:07 +0000 (17:22 +0200)
If a record is not editable for a user, the edit icon in the record
list should be hidden.

This patch changes following behavior:

* all fields of a record are fetched to do further access checks
* a check if the user is able to edit that record is included
* space icon for the hidden icon is cleaned up

Resolves: #61560
Releases: master, 7.6
Change-Id: Iceaca60321e34f53ee994a82a5faa758c4b83768
Reviewed-on: https://review.typo3.org/50218
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Frank Naegler <frank.naegler@typo3.org>
Tested-by: Frank Naegler <frank.naegler@typo3.org>
typo3/sysext/recordlist/Classes/RecordList/DatabaseRecordList.php

index 8747a1e..f897d2a 100644 (file)
@@ -644,12 +644,13 @@ class DatabaseRecordList extends AbstractDatabaseRecordList
             $this->firstElementNumber = $this->firstElementNumber - 2;
             $this->iLimit = $this->iLimit + 2;
             // (API function from TYPO3\CMS\Recordlist\RecordList\AbstractDatabaseRecordList)
-            $queryParts = $this->makeQueryArray($table, $id, $addWhere, $selFieldList);
+            $queryParts = $this->makeQueryArray($table, $id, $addWhere);
+
             $this->firstElementNumber = $this->firstElementNumber + 2;
             $this->iLimit = $this->iLimit - 2;
         } else {
             // (API function from TYPO3\CMS\Recordlist\RecordList\AbstractDatabaseRecordList)
-            $queryParts = $this->makeQueryArray($table, $id, $addWhere, $selFieldList);
+            $queryParts = $this->makeQueryArray($table, $id, $addWhere);
         }
 
         // Finding the total amount of records on the page
@@ -1412,7 +1413,8 @@ class DatabaseRecordList extends AbstractDatabaseRecordList
                      && $this->getBackendUserAuthentication()->checkLanguageAccess(0)
                      && $localCalcPerms & Permission::PAGE_EDIT
                      || $table !== 'pages'
-                        && $this->calcPerms & Permission::CONTENT_EDIT;
+                        && $this->calcPerms & Permission::CONTENT_EDIT
+                        && $this->getBackendUserAuthentication()->recordEditAccessInternals($table, $row);
         $permsEdit = $this->overlayEditLockPermissions($table, $row, $permsEdit);
         // "Show" link (only pages and tt_content elements)
         if ($table == 'pages' || $table == 'tt_content') {
@@ -1531,11 +1533,11 @@ class DatabaseRecordList extends AbstractDatabaseRecordList
             $hiddenField = $GLOBALS['TCA'][$table]['ctrl']['enablecolumns']['disabled'];
 
             if (
-                $permsEdit && $hiddenField && $GLOBALS['TCA'][$table]['columns'][$hiddenField]
-                && (!$GLOBALS['TCA'][$table]['columns'][$hiddenField]['exclude']
+                !empty($GLOBALS['TCA'][$table]['columns'][$hiddenField])
+                && (empty($GLOBALS['TCA'][$table]['columns'][$hiddenField]['exclude'])
                     || $this->getBackendUserAuthentication()->check('non_exclude_fields', $table . ':' . $hiddenField))
             ) {
-                if ($this->isRecordCurrentBackendUser($table, $row)) {
+                if (!$permsEdit || $this->isRecordCurrentBackendUser($table, $row)) {
                     $hideAction = $this->spaceIcon;
                 } else {
                     $hideTitle = $this->getLanguageService()->getLL('hide' . ($table == 'pages' ? 'Page' : ''), true);