[BUGFIX] Editor see records without permissions on table
authorMichael Klapper <klapper@aoemedia.de>
Thu, 9 Jun 2011 13:06:49 +0000 (15:06 +0200)
committerMichael Klapper <klapper@aoemedia.de>
Fri, 10 Jun 2011 08:55:01 +0000 (10:55 +0200)
Change-Id: I55b8eed9a7b475040b6f842e9d8c94e60191c896
Resolves: #27325
Release: 4.6, 4.5

typo3/sysext/workspaces/Classes/Service/GridData.php
typo3/sysext/workspaces/Classes/Service/Workspaces.php

index 3c63c69..536d88d 100644 (file)
@@ -99,6 +99,7 @@ class tx_Workspaces_Service_GridData {
 
                        foreach ($versions as $table => $records) {
                                $versionArray = array('table' => $table);
+                               $isRecordTypeAllowedToModify = $GLOBALS['BE_USER']->check('tables_modify', $table);
 
                                foreach ($records as $record) {
 
@@ -132,21 +133,21 @@ class tx_Workspaces_Service_GridData {
                                        $versionArray['icon_Live'] = t3lib_iconWorks::mapRecordTypeToSpriteIconClass($table, $origRecord);
                                        $versionArray['icon_Workspace'] = t3lib_iconWorks::mapRecordTypeToSpriteIconClass($table, $versionRecord);
 
-                                       $versionArray['allowedAction_nextStage'] = $stagesObj->isNextStageAllowedForUser($versionRecord['t3ver_stage']);
-                                       $versionArray['allowedAction_prevStage'] = $stagesObj->isPrevStageAllowedForUser($versionRecord['t3ver_stage']);
+                                       $versionArray['allowedAction_nextStage'] = $isRecordTypeAllowedToModify && $stagesObj->isNextStageAllowedForUser($versionRecord['t3ver_stage']);
+                                       $versionArray['allowedAction_prevStage'] = $isRecordTypeAllowedToModify && $stagesObj->isPrevStageAllowedForUser($versionRecord['t3ver_stage']);
 
                                        if ($swapAccess && $swapStage != 0 && $versionRecord['t3ver_stage'] == $swapStage) {
-                                               $versionArray['allowedAction_swap'] = $stagesObj->isNextStageAllowedForUser($swapStage);
+                                               $versionArray['allowedAction_swap'] = $isRecordTypeAllowedToModify && $stagesObj->isNextStageAllowedForUser($swapStage);
                                        } elseif ($swapAccess && $swapStage == 0) {
-                                               $versionArray['allowedAction_swap'] = TRUE;
+                                               $versionArray['allowedAction_swap'] = $isRecordTypeAllowedToModify;
                                        } else {
                                                $versionArray['allowedAction_swap'] = FALSE;
                                        }
-                                       $versionArray['allowedAction_delete'] = TRUE;
+                                       $versionArray['allowedAction_delete'] = $isRecordTypeAllowedToModify;
                                                // preview and editing of a deleted page won't work ;)
                                        $versionArray['allowedAction_view'] = !$isDeletedPage && $viewUrl;
-                                       $versionArray['allowedAction_edit'] = !$isDeletedPage;
-                                       $versionArray['allowedAction_editVersionedPage'] = !$isDeletedPage;
+                                       $versionArray['allowedAction_edit'] = $isRecordTypeAllowedToModify && !$isDeletedPage;
+                                       $versionArray['allowedAction_editVersionedPage'] = $isRecordTypeAllowedToModify && !$isDeletedPage;
 
                                        $versionArray['state_Workspace'] = $recordState;
 
index c37d0ea..e2fc593 100644 (file)
@@ -123,7 +123,7 @@ class tx_Workspaces_Service_Workspaces {
                        }
 
                                // Select all versions to swap:
-                       $versions = $this->selectVersionsInWorkspace($wsid, 0, $stage, ($pageId ? $pageId : -1));
+                       $versions = $this->selectVersionsInWorkspace($wsid, 0, $stage, ($pageId ? $pageId : -1), 0, 'tables_modify');
 
                                // Traverse the selection to build CMD array:
                        foreach ($versions as $table => $records) {
@@ -155,7 +155,7 @@ class tx_Workspaces_Service_Workspaces {
                        $stage = -99;
 
                                // Select all versions to swap:
-                       $versions = $this->selectVersionsInWorkspace($wsid, 0, $stage, ($pageId ? $pageId : -1));
+                       $versions = $this->selectVersionsInWorkspace($wsid, 0, $stage, ($pageId ? $pageId : -1), 0, 'tables_modify');
 
                                // Traverse the selection to build CMD array:
                        foreach ($versions as $table => $records) {
@@ -179,9 +179,10 @@ class tx_Workspaces_Service_Workspaces {
         * @param       integer         Stage filter: -99 means no filtering, otherwise it will be used to select only elements with that stage. For publishing, that would be "10"
         * @param       integer         Page id: Live page for which to find versions in workspace!
         * @param       integer         Recursion Level - select versions recursive - parameter is only relevant if $pageId != -1
+        * @param       string          How to collect records for "listing" or "modify" these tables. Support the permissions of each type of record (@see t3lib_userAuthGroup::check).
         * @return      array           Array of all records uids etc. First key is table name, second key incremental integer. Records are associative arrays with uid, t3ver_oid and t3ver_swapmode fields. The pid of the online record is found as "livepid" the pid of the offline record is found in "wspid"
         */
-       public function selectVersionsInWorkspace($wsid, $filter = 0, $stage = -99, $pageId = -1, $recursionLevel = 0) {
+       public function selectVersionsInWorkspace($wsid, $filter = 0, $stage = -99, $pageId = -1, $recursionLevel = 0, $selectionType = 'tables_select') {
 
                $wsid = intval($wsid);
                $filter = intval($filter);
@@ -198,6 +199,12 @@ class tx_Workspaces_Service_Workspaces {
 
                        // Traversing all tables supporting versioning:
                foreach ($GLOBALS['TCA'] as $table => $cfg) {
+
+                               // we do not collect records from tables without permissions on them.
+                       if (! $GLOBALS['BE_USER']->check($selectionType, $table)) {
+                               continue;
+                       }
+
                        if ($GLOBALS['TCA'][$table]['ctrl']['versioningWS']) {
 
                                $recs = $this->selectAllVersionsFromPages($table, $pageList, $wsid, $filter, $stage);