[BUGFIX] Show deleted page actions in record history 10/54610/2
authorHelmut Hummel <typo3@helhum.io>
Tue, 7 Nov 2017 14:09:08 +0000 (15:09 +0100)
committerMarkus Klein <markus.klein@typo3.org>
Mon, 20 Nov 2017 09:24:21 +0000 (10:24 +0100)
Because users have no access to deleted pages,
the access check always fails, leading to delete page
actions not being shown in the history despite being
properly tracked.

We now check this case and do a more lightweight check
so that we still have the permissions checked,
but can show deleted pages without disclosing unwanted
information.

Resolves: #45056
Releases: 7.6, 8.7, master
Change-Id: Id919a24651c18a351f9723e86610b525a4f4726c
Reviewed-on: https://review.typo3.org/54610
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
typo3/sysext/backend/Classes/History/RecordHistory.php

index 1857652..0c111a5 100644 (file)
@@ -19,6 +19,7 @@ use TYPO3\CMS\Backend\Utility\BackendUtility;
 use TYPO3\CMS\Core\DataHandling\DataHandler;
 use TYPO3\CMS\Core\Imaging\Icon;
 use TYPO3\CMS\Core\Imaging\IconFactory;
+use TYPO3\CMS\Core\Type\Bitmask\Permission;
 use TYPO3\CMS\Core\Utility\DiffUtility;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
 use TYPO3\CMS\Core\Utility\HttpUtility;
@@ -972,9 +973,27 @@ class RecordHistory
         }
 
         if (!isset($this->pageAccessCache[$pageId])) {
-            $this->pageAccessCache[$pageId] = BackendUtility::readPageAccess(
-                $pageId, $this->getBackendUser()->getPagePermsClause(1)
-            );
+            $isDeletedPage = false;
+            if ($this->showInsertDelete && isset($GLOBALS['TCA']['pages']['ctrl']['delete'])) {
+                $deletedField = $GLOBALS['TCA']['pages']['ctrl']['delete'];
+                $pageRecord = $this->getRecord('pages', $pageId);
+                $isDeletedPage = (bool)$pageRecord[$deletedField];
+            }
+            if ($isDeletedPage) {
+                // The page is deleted, so we fake its uid to be the one of the parent page.
+                // By doing so, the following API will use this id to traverse the rootline
+                // and check whether it is in the users' web mounts.
+                // We check however if the user has (or better had) access to the deleted page itself.
+                // Since the only way we got here is by requesting the history of the parent page
+                // we can be sure this parent page actually exists.
+                $pageRecord['uid'] = $pageRecord['pid'];
+                $this->pageAccessCache[$pageId] = $this->getBackendUser()->doesUserHaveAccess($pageRecord, Permission::PAGE_SHOW);
+            } else {
+                $this->pageAccessCache[$pageId] = BackendUtility::readPageAccess(
+                    $pageId,
+                    $this->getBackendUser()->getPagePermsClause(Permission::PAGE_SHOW)
+                );
+            }
         }
 
         return $this->pageAccessCache[$pageId] !== false;