[BUGFIX] Do not allow users to edit doktypes without permissions 15/53715/3
authorMarkus Hoelzle <typo3@markus-hoelzle.de>
Wed, 22 Feb 2017 09:27:49 +0000 (10:27 +0100)
committerSusanne Moog <susanne.moog@typo3.org>
Wed, 20 Sep 2017 16:31:16 +0000 (18:31 +0200)
Disallow backend users to edit pages which doktypes are not allowed
via backend usergroup permissions.

Resolves: #79954
Releases: master, 8.7, 7.6
Change-Id: I527602e71c62bc8e33b0886a5758c7c8040b4720
Reviewed-on: https://review.typo3.org/53715
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Jan Stockfisch <jan.stockfisch@googlemail.com>
Tested-by: Jan Stockfisch <jan.stockfisch@googlemail.com>
Reviewed-by: Susanne Moog <susanne.moog@typo3.org>
Tested-by: Susanne Moog <susanne.moog@typo3.org>
typo3/sysext/backend/Classes/Form/FormDataProvider/DatabaseUserPermissionCheck.php
typo3/sysext/backend/Tests/Unit/Form/FormDataProvider/DatabaseUserPermissionCheckTest.php

index 5427185..5ccc050 100644 (file)
@@ -115,7 +115,7 @@ class DatabaseUserPermissionCheck implements FormDataProviderInterface
             if ($result['tableName'] === 'pages') {
                 // A page record is edited, check edit rights of this record directly
                 $userPermissionOnPage = $backendUser->calcPerms($result['databaseRow']);
-                if ((bool)($userPermissionOnPage & Permission::PAGE_EDIT)) {
+                if ((bool)($userPermissionOnPage & Permission::PAGE_EDIT) && $backendUser->check('pagetypes_select', $result['databaseRow']['doktype'])) {
                     $userHasAccess = true;
                 } else {
                     $exception = new AccessDeniedPageEditException(
index 6b1573f..f4c23ce 100644 (file)
@@ -151,6 +151,32 @@ class DatabaseUserPermissionCheckTest extends UnitTestCase
     /**
      * @test
      */
+    public function addDataThrowsExceptionIfCommandIsEditTableIsPagesAndUserHasNoDoktypePermissions()
+    {
+        $input = [
+            'tableName' => 'pages',
+            'command' => 'edit',
+            'vanillaUid' => 123,
+            'databaseRow' => [
+                'uid' => 123,
+                'pid' => 321,
+                'doktype' => 1,
+            ],
+        ];
+        $this->beUserProphecy->isAdmin()->willReturn(false);
+        $this->beUserProphecy->check('tables_modify', $input['tableName'])->willReturn(true);
+        $this->beUserProphecy->check('pagetypes_select', $input['databaseRow']['doktype'])->willReturn(false);
+        $this->beUserProphecy->recordEditAccessInternals($input['tableName'], Argument::cetera())->willReturn(true);
+        $this->beUserProphecy->calcPerms($input['databaseRow'])->willReturn(Permission::ALL);
+
+        $this->setExpectedException(AccessDeniedPageEditException::class, 1437679336);
+
+        $this->subject->addData($input);
+    }
+
+    /**
+     * @test
+     */
     public function addDataAddsUserPermissionsOnPageIfTableIsPagesAndUserHasPagePermissions()
     {
         $input = [
@@ -159,11 +185,13 @@ class DatabaseUserPermissionCheckTest extends UnitTestCase
             'vanillaUid' => 123,
             'databaseRow' => [
                 'uid' => 123,
-                'pid' => 321
+                'pid' => 321,
+                'doktype' => 1,
             ],
         ];
         $this->beUserProphecy->isAdmin()->willReturn(false);
         $this->beUserProphecy->check('tables_modify', $input['tableName'])->willReturn(true);
+        $this->beUserProphecy->check('pagetypes_select', $input['databaseRow']['doktype'])->willReturn(true);
         $this->beUserProphecy->calcPerms($input['databaseRow'])->willReturn(Permission::PAGE_EDIT);
         $this->beUserProphecy->recordEditAccessInternals($input['tableName'], Argument::cetera())->willReturn(true);