Added feature #5203: Add file operation permissions for back-end user groups (thanks...
authorOliver Hader <oliver.hader@typo3.org>
Sat, 20 Dec 2008 17:32:31 +0000 (17:32 +0000)
committerOliver Hader <oliver.hader@typo3.org>
Sat, 20 Dec 2008 17:32:31 +0000 (17:32 +0000)
git-svn-id: https://svn.typo3.org/TYPO3v4/Core/trunk@4579 709f56b5-9817-0410-a4d7-c38de5d9e867

16 files changed:
ChangeLog
NEWS.txt
t3lib/class.t3lib_extfilefunc.php
t3lib/class.t3lib_userauthgroup.php
t3lib/stddb/tables.php
t3lib/stddb/tables.sql
t3lib/stddb/tbl_be.php
typo3/file_list.php
typo3/sysext/impexp/app/index.php
typo3/sysext/impexp/class.tx_impexp.php
typo3/sysext/install/mod/class.tx_install.php
typo3/sysext/lang/locallang_csh_be_groups.xml
typo3/sysext/lang/locallang_csh_be_users.xml
typo3/sysext/lang/locallang_tca.xml
typo3/sysext/lowlevel/clmods/class.rte_images.php
typo3/tce_file.php

index 3ee36a5..7a2fa9a 100755 (executable)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,7 @@
 2008-12-20  Oliver Hader  <oliver@typo3.org>
 
        * Follow-up to feature #5835: Fix formatting and remove superfluous wrap in tslib_content::wrapSpace()
+       * Added feature #5203: Add file operation permissions for back-end user groups (thanks to Christian Kuhn)
 
 2008-12-19  Steffen Kamper  <info@sk-typo3.de>
 
index b9cb934..0fa6c90 100644 (file)
--- a/NEWS.txt
+++ b/NEWS.txt
@@ -24,6 +24,14 @@ Backend
        * The TypoScript editor "t3editor" was enhanced with code-completion. Now you get
          context-sensitive suggestions about possible properties while entering TypoScript.
 
+       * The permissions on file operations can now be set on a per-group basis. New back-end
+         users now don't have any file permissions by default, since this has moved to back-end
+         user groups and will apply automatically for each new group being created.
+         The default settings for new groups are the following:
+               + Move, delete, rename and create new directories
+               + Upload, copy, move, delete and rename files
+               + Unzip files
+
 Frontend
 ========
 
index d3b5bcd..105ee8d 100755 (executable)
@@ -175,9 +175,9 @@ class t3lib_extFileFunctions extends t3lib_basicFileFunctions       {
 
        /**
         * Sets up permission to perform file/directory operations.
-        * See below or the be_user-table for the significanse of the various bits in $setup ($BE_USER->user['fileoper_perms'])
+        * See below or the be_user-table for the significance of the various bits in $setup.
         *
-        * @param       integer         File permission integer from BE_USER object.
+        * @param       integer         File permission integer from BE_USER OR'ed with permissions of back-end groups this user is a member of
         * @return      void
         */
        function init_actionPerms($setup)       {
index f05a34f..7e1149c 100755 (executable)
@@ -149,6 +149,7 @@ class t3lib_userAuthGroup extends t3lib_userAuth {
        var $dataLists=array(                           // Used internally to accumulate data for the user-group. DONT USE THIS EXTERNALLY! Use $this->groupData instead
                'webmount_list'=>'',
                'filemount_list'=>'',
+               'fileoper_perms' => 0,
                'modList'=>'',
                'tables_select'=>'',
                'tables_modify'=>'',
@@ -1013,6 +1014,23 @@ class t3lib_userAuthGroup extends t3lib_userAuth {
        }
 
        /**
+        * Returns an integer bitmask that represents the permissions for file operations.
+        * Permissions of the user and groups the user is a member of were combined by a logical OR.
+        *
+        * Meaning of each bit:
+        *      1 - Files: Upload,Copy,Move,Delete,Rename
+        *      2 - Files: Unzip
+        *      4 - Directory: Move,Delete,Rename,New
+        *      8 - Directory: Copy
+        *      16 - Directory: Delete recursively (rm -Rf)
+        *
+        * @return      integer         File operation permission bitmask
+        */
+       public function getFileoperationPermissions() {
+               return $this->groupData['fileoper_perms'];
+       }
+
+       /**
         * Returns true or false, depending if an alert popup (a javascript confirmation) should be shown
         * call like $GLOBALS['BE_USER']->jsConfirmation($BITMASK)
         *
@@ -1072,6 +1090,7 @@ class t3lib_userAuthGroup extends t3lib_userAuth {
                        $this->dataLists['workspace_perms'] = $this->user['workspace_perms'];                                   // Set user value for workspace permissions.
                        $this->dataLists['webmount_list'] = $this->user['db_mountpoints'];              // Database mountpoints
                        $this->dataLists['filemount_list'] = $this->user['file_mountpoints'];   // File mountpoints
+                       $this->dataLists['fileoper_perms'] = (int)$this->user['fileoper_perms'];        // Fileoperation permissions
 
                                // Setting default User TSconfig:
                        $this->TSdataArray[]=$this->addTScomment('From $GLOBALS["TYPO3_CONF_VARS"]["BE"]["defaultUserTSconfig"]:').
@@ -1161,6 +1180,7 @@ class t3lib_userAuthGroup extends t3lib_userAuth {
                        $this->groupData['allowed_languages'] = t3lib_div::uniqueList($this->dataLists['allowed_languages']);
                        $this->groupData['custom_options'] = t3lib_div::uniqueList($this->dataLists['custom_options']);
                        $this->groupData['modules'] = t3lib_div::uniqueList($this->dataLists['modList']);
+                       $this->groupData['fileoper_perms'] = $this->dataLists['fileoper_perms'];
                        $this->groupData['workspace_perms'] = $this->dataLists['workspace_perms'];
 
                                // populating the $this->userGroupsUID -array with the groups in the order in which they were LAST included.!!
@@ -1265,6 +1285,9 @@ class t3lib_userAuthGroup extends t3lib_userAuth {
                                        $this->dataLists['custom_options'].= ','.$row['custom_options'];
                                }
 
+                               // Setting fileoperation permissions
+                               $this->dataLists['fileoper_perms'] |= (int)$row['fileoper_perms'];
+
                                        // Setting workspace permissions:
                                $this->dataLists['workspace_perms'] |= $row['workspace_perms'];
 
index f3c372a..78275bd 100755 (executable)
@@ -316,7 +316,7 @@ $TCA['be_groups'] = array(
                        'disabled' => 'hidden'
                ),
                'title' => 'LLL:EXT:lang/locallang_tca.php:be_groups',
-               'useColumnsForDefaultValues' => 'lockToDomain',
+               'useColumnsForDefaultValues' => 'lockToDomain, fileoper_perms',
                'dividers2tabs' => true,
                'dynamicConfigFile' => 'T3LIB:tbl_be.php',
                'versioningWS_alwaysAllowLiveEdit' => TRUE
index 1105f49..ceeb4a0 100755 (executable)
@@ -22,6 +22,7 @@ CREATE TABLE be_groups (
   cruser_id int(11) unsigned DEFAULT '0' NOT NULL,
   groupMods text,
   file_mountpoints varchar(255) DEFAULT '' NOT NULL,
+  fileoper_perms tinyint(4) DEFAULT '0' NOT NULL,
   hidden tinyint(1) unsigned DEFAULT '0' NOT NULL,
   inc_access_lists tinyint(3) unsigned DEFAULT '0' NOT NULL,
   description text,
index ed98097..ee93e3a 100755 (executable)
@@ -240,7 +240,7 @@ $TCA['be_users'] = array(
                                        array('LLL:EXT:lang/locallang_tca.xml:be_users.fileoper_perms_diroper_perms_copy', 0),
                                        array('LLL:EXT:lang/locallang_tca.xml:be_users.fileoper_perms_diroper_perms_delete', 0),
                                ),
-                               'default' => '7'
+                               'default' => '0'
                        )
                ),
                'workspace_perms' => array(
@@ -420,7 +420,7 @@ $TCA['be_users'] = array(
 $TCA['be_groups'] = array(
        'ctrl' => $TCA['be_groups']['ctrl'],
        'interface' => array(
-               'showRecordFieldList' => 'title,db_mountpoints,file_mountpoints,inc_access_lists,tables_select,tables_modify,pagetypes_select,non_exclude_fields,groupMods,lockToDomain,description'
+               'showRecordFieldList' => 'title, db_mountpoints, file_mountpoints, fileoper_perms, inc_access_lists, tables_select, tables_modify, pagetypes_select, non_exclude_fields, groupMods, lockToDomain, description'
        ),
        'columns' => array(
                'title' => array(
@@ -490,6 +490,20 @@ $TCA['be_groups'] = array(
                                )
                        )
                ),
+               'fileoper_perms' => array(
+                       'label' => 'LLL:EXT:lang/locallang_tca.xml:be_groups.fileoper_perms',
+                       'config' => array(
+                               'type' => 'check',
+                               'items' => array(
+                                       array('LLL:EXT:lang/locallang_tca.xml:be_groups.fileoper_perms_general', 0),
+                                       array('LLL:EXT:lang/locallang_tca.xml:be_groups.fileoper_perms_unzip', 0),
+                                       array('LLL:EXT:lang/locallang_tca.xml:be_groups.fileoper_perms_diroper_perms', 0),
+                                       array('LLL:EXT:lang/locallang_tca.xml:be_groups.fileoper_perms_diroper_perms_copy', 0),
+                                       array('LLL:EXT:lang/locallang_tca.xml:be_groups.fileoper_perms_diroper_perms_delete', 0),
+                               ),
+                               'default' => '7'
+                       )
+               ),
                'workspace_perms' => array(
                        'label' => 'LLL:EXT:lang/locallang_tca.xml:workspace_perms',
                        'config' => array(
@@ -663,8 +677,18 @@ $TCA['be_groups'] = array(
                )
        ),
        'types' => array(
-               '0' => array('showitem' => 'hidden;;;;1-1-1, title;;;;2-2-2,description, subgroup;;;;3-3-3, --div--;LLL:EXT:lang/locallang_tca.xml:be_groups.tabs.base_rights, inc_access_lists;;;;1-1-1, --div--;LLL:EXT:lang/locallang_tca.xml:be_groups.tabs.mounts_and_workspaces, db_mountpoints;;;;1-1-1,file_mountpoints, workspace_perms;;;;2-2-2, , --div--;LLL:EXT:lang/locallang_tca.xml:be_groups.tabs.options, lockToDomain;;;;1-1-1, hide_in_lists;;;;2-2-2, TSconfig;;;;3-3-3, --div--;LLL:EXT:lang/locallang_tca.xml:be_groups.tabs.extended'),
-               '1' => array('showitem' => 'hidden;;;;1-1-1, title;;;;2-2-2,description, subgroup;;;;3-3-3, --div--;LLL:EXT:lang/locallang_tca.xml:be_groups.tabs.base_rights, inc_access_lists;;;;1-1-1, groupMods, tables_select, tables_modify, pagetypes_select, non_exclude_fields, explicit_allowdeny , allowed_languages;;;;2-2-2, custom_options;;;;3-3-3, --div--;LLL:EXT:lang/locallang_tca.xml:be_groups.tabs.mounts_and_workspaces, db_mountpoints;;;;1-1-1,file_mountpoints, workspace_perms;;;;2-2-2, --div--;LLL:EXT:lang/locallang_tca.xml:be_groups.tabs.options, lockToDomain;;;;1-1-1, hide_in_lists;;;;2-2-2, TSconfig;;;;3-3-3, --div--;LLL:EXT:lang/locallang_tca.xml:be_groups.tabs.extended')
+               '0' => array('showitem' => 'hidden;;;;1-1-1, title;;;;2-2-2, description, subgroup;;;;3-3-3,
+                       --div--;LLL:EXT:lang/locallang_tca.xml:be_groups.tabs.base_rights, inc_access_lists;;;;1-1-1,
+                       --div--;LLL:EXT:lang/locallang_tca.xml:be_groups.tabs.mounts_and_workspaces, workspace_perms;;;;1-1-1, db_mountpoints;;;;2-2-2, file_mountpoints;;;;3-3-3, fileoper_perms,
+                       --div--;LLL:EXT:lang/locallang_tca.xml:be_groups.tabs.options, lockToDomain;;;;1-1-1, hide_in_lists;;;;2-2-2, TSconfig;;;;3-3-3,
+                       --div--;LLL:EXT:lang/locallang_tca.xml:be_groups.tabs.extended'
+               ),
+               '1' => array('showitem' => 'hidden;;;;1-1-1, title;;;;2-2-2, description, subgroup;;;;3-3-3,
+                       --div--;LLL:EXT:lang/locallang_tca.xml:be_groups.tabs.base_rights, inc_access_lists;;;;1-1-1, groupMods, tables_select, tables_modify, pagetypes_select, non_exclude_fields, explicit_allowdeny , allowed_languages;;;;2-2-2, custom_options;;;;3-3-3,
+                       --div--;LLL:EXT:lang/locallang_tca.xml:be_groups.tabs.mounts_and_workspaces, workspace_perms;;;;1-1-1, db_mountpoints;;;;2-2-2, file_mountpoints;;;;3-3-3, fileoper_perms,
+                       --div--;LLL:EXT:lang/locallang_tca.xml:be_groups.tabs.options, lockToDomain;;;;1-1-1, hide_in_lists;;;;2-2-2, TSconfig;;;;3-3-3,
+                       --div--;LLL:EXT:lang/locallang_tca.xml:be_groups.tabs.extended'
+               )
        )
 );
 
index f5faa1e..8b7fdca 100755 (executable)
@@ -207,7 +207,7 @@ class SC_file_list {
                                                // Init file processing object for deleting and pass the cmd array.
                                        $fileProcessor = t3lib_div::makeInstance('t3lib_extFileFunctions');
                                        $fileProcessor->init($FILEMOUNTS, $TYPO3_CONF_VARS['BE']['fileExtensions']);
-                                       $fileProcessor->init_actionPerms($BE_USER->user['fileoper_perms']);
+                                       $fileProcessor->init_actionPerms($GLOBALS['BE_USER']->getFileoperationPermissions());
                                        $fileProcessor->dontCheckForUnique = $this->overwriteExistingFiles ? 1 : 0;
                                        $fileProcessor->start($FILE);
                                        $fileProcessor->processData();
index d8ce2f7..dfd36cb 100755 (executable)
@@ -1595,7 +1595,7 @@ class SC_mod_tools_log_index extends t3lib_SCbase {
                        // Initializing:
                $this->fileProcessor = t3lib_div::makeInstance('t3lib_extFileFunctions');
                $this->fileProcessor->init($FILEMOUNTS, $TYPO3_CONF_VARS['BE']['fileExtensions']);
-               $this->fileProcessor->init_actionPerms($BE_USER->user['fileoper_perms']);
+               $this->fileProcessor->init_actionPerms($GLOBALS['BE_USER']->getFileoperationPermissions());
                $this->fileProcessor->dontCheckForUnique = t3lib_div::_GP('overwriteExistingFiles') ? 1 : 0;
 
                        // Checking referer / executing:
index 9c833ac..930f5b4 100755 (executable)
@@ -3279,14 +3279,11 @@ class tx_impexp {
         * @return      object          File processor object
         */
        function &getFileProcObj()      {
-               global $FILEMOUNTS, $TYPO3_CONF_VARS, $BE_USER;
-
                if (!is_object($this->fileProcObj))     {
                        $this->fileProcObj = t3lib_div::makeInstance('t3lib_extFileFunctions');
-                       $this->fileProcObj->init($FILEMOUNTS, $TYPO3_CONF_VARS['BE']['fileExtensions']);
-                       $this->fileProcObj->init_actionPerms($BE_USER->user['fileoper_perms']);
+                       $this->fileProcObj->init($GLOBALS['FILEMOUNTS'], $GLOBALS['TYPO3_CONF_VARS']['BE']['fileExtensions']);
+                       $this->fileProcObj->init_actionPerms($GLOBALS['BE_USER']->getFileoperationPermissions());
                }
-
                return $this->fileProcObj;
        }
 
@@ -3329,4 +3326,4 @@ class tx_impexp {
 if (defined('TYPO3_MODE') && $TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['ext/impexp/class.tx_impexp.php']) {
        include_once($TYPO3_CONF_VARS[TYPO3_MODE]['XCLASS']['ext/impexp/class.tx_impexp.php']);
 }
-?>
\ No newline at end of file
+?>
index d53b7aa..23a4f7b 100755 (executable)
@@ -3684,7 +3684,7 @@ From sub-directory:
                                                                                'password' => md5($pass),
                                                                                'admin' => 1,
                                                                                'uc' => '',
-                                                                               'fileoper_perms' => 7,
+                                                                               'fileoper_perms' => 0,
                                                                                'tstamp' => time(),
                                                                                'crdate' => time()
                                                                        );
@@ -3802,7 +3802,7 @@ From sub-directory:
                                                                                'password' => md5($pass),
                                                                                'admin' => 1,
                                                                                'uc' => '',
-                                                                               'fileoper_perms' => 7,
+                                                                               'fileoper_perms' => 0,
                                                                                'tstamp' => time(),
                                                                                'crdate' => time()
                                                                        );
index 6e684ae..f38eb13 100755 (executable)
@@ -55,6 +55,13 @@ In the Filemount record you define whether the path should be absolute (must be
 This is the page tree of the &quot;admin&quot; user. Notice the folder &quot;user_upload&quot; which is the folder referred to by the File Mount record.
 This shows the mounted folder as seen by a user who was member of the group.
 Filemount records are also created in the page tree root.</label>
+                       <label index="fileoper_perms.description">Select file operation permissions for the group members.</label>
+                       <label index="fileoper_perms.details">These settings relate to the functions found in the File&gt;Filelist module as well as general upload of files.
+                       
+&lt;strong&gt;Notice&lt;/strong&gt; that these settings apply to all members of this group and extend the users permissions accordingly.</label>
+                       <label index="_fileoper_perms.seeAlso">be_groups:file_mountpoints,
+be_users:file_mountpoints,
+be_users:fileoper_perms</label>
                        <label index="pagetypes_select.description">Select which 'Types' of Pages the members may set.</label>
                        <label index="pagetypes_select.details">This option limits the number of valid choices for the user when he is about to select a page type.
 Choice of Page types (doktype) for a page is associated with a) a special icon for the page, b) permitted tables on the page (see $PAGES_TYPES global variable) and c) if the page is a web page or &quot;system folder&quot; type.</label>
@@ -153,4 +160,4 @@ If a user has no languages listed all together it simply means that he can edit
                        <label index="custom_options.image_descr">This is just an example from an internal test application. It shows how checkboxes are added by a custom module under its own header. You can also show a description text with each checkbox to explain its function.</label>
                </languageKey>
        </data>
-</T3locallang>
\ No newline at end of file
+</T3locallang>
index 58396c2..3dd9387 100755 (executable)
@@ -103,8 +103,11 @@ If you don't check these options, you must make sure the mount points for the pa
                        <label index="_options.seeAlso">be_users:db_mountpoints,
 be_users:file_mountpoints</label>
                        <label index="fileoper_perms.description">Select file operation permissions for the user.</label>
-                       <label index="fileoper_perms.details">These settings relates to the functions found in the File&gt;List module as well as general upload of files.</label>
-                       <label index="_fileoper_perms.seeAlso">be_users:file_mountpoints</label>
+                       <label index="fileoper_perms.details">These settings relate to the functions found in the File&gt;List module as well as general upload of files.
+
+&lt;strong&gt;Notice&lt;/strong&gt; that backend user groups also have file operation permissions which automatically apply to the user if he's member of an accordant group. So if you want a group of users share identical file operation permissions, you should probably define them in a backend user group instead.</label>
+                       <label index="_fileoper_perms.seeAlso">be_users:file_mountpoints,
+be_group:fileoper_perms</label>
                        <label index="starttime.description">Enter the date from which the account is active.</label>
                        <label index="_starttime.seeAlso">be_users:disable,
 be_users:endtime,
index 518f0c7..b5cfd1e 100755 (executable)
                        <label index="be_groups.subgroup">Sub Groups:</label>
                        <label index="be_groups.tabs.base_rights">Access Lists</label>
                        <label index="be_groups.tabs.mounts_and_workspaces">Mounts and Workspaces</label>
+                       <label index="be_groups.fileoper_perms">Fileoperation permissions:</label>
+                       <label index="be_groups.fileoper_perms_general">Files: Upload,Copy,Move,Delete,Rename,New,Edit</label>
+                       <label index="be_groups.fileoper_perms_unzip">Files: Unzip</label>
+                       <label index="be_groups.fileoper_perms_diroper_perms">Directory: Move,Delete,Rename,New</label>
+                       <label index="be_groups.fileoper_perms_diroper_perms_copy">Directory: Copy</label>
+                       <label index="be_groups.fileoper_perms_diroper_perms_delete">Directory: Delete recursively (rm -Rf)</label>
                        <label index="be_groups.tabs.options">Options</label>
                        <label index="be_groups.tabs.extended">Extended</label>
                        <label index="sys_filemounts.tabs.users">Users</label>
index fef2299..dc03bca 100644 (file)
@@ -297,16 +297,13 @@ Reports problems with RTE images';
         * @return      object          File processor object
         */
        function &getFileProcObj()      {
-               global $FILEMOUNTS, $TYPO3_CONF_VARS, $BE_USER;
-
                if (!is_object($this->fileProcObj))     {
                        $this->fileProcObj = t3lib_div::makeInstance('t3lib_extFileFunctions');
-                       $this->fileProcObj->init($FILEMOUNTS, $TYPO3_CONF_VARS['BE']['fileExtensions']);
-                       $this->fileProcObj->init_actionPerms($BE_USER->user['fileoper_perms']);
+                       $this->fileProcObj->init($GLOBALS['FILEMOUNTS'], $GLOBALS['TYPO3_CONF_VARS']['BE']['fileExtensions']);
+                       $this->fileProcObj->init_actionPerms($GLOBALS['BE_USER']->getFileoperationPermissions());
                }
-
                return $this->fileProcObj;
        }
 }
 
-?>
\ No newline at end of file
+?>
index 93244f7..b0328c5 100755 (executable)
@@ -141,7 +141,7 @@ class SC_tce_file {
                        // Initializing:
                $this->fileProcessor = t3lib_div::makeInstance('t3lib_extFileFunctions');
                $this->fileProcessor->init($FILEMOUNTS, $TYPO3_CONF_VARS['BE']['fileExtensions']);
-               $this->fileProcessor->init_actionPerms($BE_USER->user['fileoper_perms']);
+               $this->fileProcessor->init_actionPerms($GLOBALS['BE_USER']->getFileoperationPermissions());
                $this->fileProcessor->dontCheckForUnique = $this->overwriteExistingFiles ? 1 : 0;
 
                        // Checking referer / executing: