[BUGFIX] Fixed permissions of media field in page properties 35/40835/5
authorMichael Oehlhof <typo3@oehlhof.de>
Wed, 1 Jul 2015 19:14:55 +0000 (21:14 +0200)
committerAndreas Wolf <andreas.wolf@typo3.org>
Sat, 18 Jul 2015 13:26:03 +0000 (15:26 +0200)
It was not possible to add media to the page properties if the user has
only the permissions for "page edit" and not for "page content"..

Resolves: #66702
Releases: master, 6.2
Change-Id: I553ee805a0e992d2ea5e00b91e7de733b2e4c94e
Reviewed-on: http://review.typo3.org/40835
Reviewed-by: Susanne Moog <typo3@susannemoog.de>
Tested-by: Susanne Moog <typo3@susannemoog.de>
Reviewed-by: Markus Sommer <markussom@posteo.de>
Tested-by: Markus Sommer <markussom@posteo.de>
Reviewed-by: Andreas Wolf <andreas.wolf@typo3.org>
Tested-by: Andreas Wolf <andreas.wolf@typo3.org>
typo3/sysext/backend/Classes/Form/Container/InlineRecordContainer.php
typo3/sysext/core/Classes/DataHandling/DataHandler.php

index e936ea0..fd90027 100644 (file)
@@ -22,6 +22,7 @@ use TYPO3\CMS\Core\Resource\ResourceFactory;
 use TYPO3\CMS\Core\Utility\MathUtility;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
 use TYPO3\CMS\Core\Authentication\BackendUserAuthentication;
+use TYPO3\CMS\Core\Utility\StringUtility;
 use TYPO3\CMS\Lang\LanguageService;
 use TYPO3\CMS\Backend\Utility\IconUtility;
 use TYPO3\CMS\Core\Type\Bitmask\Permission;
@@ -430,6 +431,7 @@ class InlineRecordContainer extends AbstractContainer {
                $tcaTableCtrl = &$GLOBALS['TCA'][$foreign_table]['ctrl'];
                $tcaTableCols = &$GLOBALS['TCA'][$foreign_table]['columns'];
                $isPagesTable = $foreign_table === 'pages';
+               $isSysFileReferenceTable = $foreign_table === 'sys_file_reference';
                $isOnSymmetricSide = RelationHandler::isOnSymmetricSide($parentUid, $config, $rec);
                $enableManualSorting = $tcaTableCtrl['sortby'] || $config['MM'] || !$isOnSymmetricSide && $config['foreign_sortby'] || $isOnSymmetricSide && $config['symmetric_sortby'];
                $nameObject = $this->inlineStackProcessor->getCurrentStructureDomObjectIdPrefix($this->globalOptions['inlineFirstPid']);
@@ -527,7 +529,9 @@ class InlineRecordContainer extends AbstractContainer {
                                }
                        }
                        // "Delete" link:
-                       if ($enabledControls['delete'] && ($isPagesTable && $localCalcPerms & Permission::PAGE_DELETE || !$isPagesTable && $calcPerms & Permission::CONTENT_EDIT)) {
+                       if ($enabledControls['delete'] && ($isPagesTable && $localCalcPerms & Permission::PAGE_DELETE
+                                       || !$isPagesTable && $calcPerms & Permission::CONTENT_EDIT
+                                       || $isSysFileReferenceTable && $calcPerms & Permission::PAGE_EDIT)) {
                                $onClick = 'inline.deleteRecord(' . GeneralUtility::quoteJSvalue($nameObjectFtId) . ');';
                                $cells['delete'] = '
                                        <a class="btn btn-default" href="#" onclick="' . htmlspecialchars(('if (confirm(' . GeneralUtility::quoteJSvalue($languageService->getLL('deleteWarning')) . ')) {      ' . $onClick . ' } return false;')) . '">
@@ -622,8 +626,14 @@ class InlineRecordContainer extends AbstractContainer {
                                        // Are we allowed to create new subpages?
                                        $hasAccess = (bool)($CALC_PERMS & Permission::PAGE_NEW);
                                } else {
-                                       // Are we allowed to edit content on this page?
-                                       $hasAccess = (bool)($CALC_PERMS & Permission::CONTENT_EDIT);
+                                       // Are we allowed to edit the page?
+                                       if ($table === 'sys_file_reference' && $this->isMediaOnPages($theUid)) {
+                                               $hasAccess = (bool)($CALC_PERMS & Permission::PAGE_EDIT);
+                                       }
+                                       if (!$hasAccess) {
+                                               // Are we allowed to edit content on this page?
+                                               $hasAccess = (bool)($CALC_PERMS & Permission::CONTENT_EDIT);
+                                       }
                                }
                        } else {
                                $hasAccess = TRUE;
@@ -640,7 +650,12 @@ class InlineRecordContainer extends AbstractContainer {
                                } else {
                                        // Fetching pid-record first.
                                        $CALC_PERMS = $backendUser->calcPerms(BackendUtility::getRecord('pages', $calcPRec['pid']));
-                                       $hasAccess = (bool)($CALC_PERMS & Permission::CONTENT_EDIT);
+                                       if ($table === 'sys_file_reference' && $this->isMediaOnPages($theUid)) {
+                                               $hasAccess = (bool)($CALC_PERMS & Permission::PAGE_EDIT);
+                                       }
+                                       if (!$hasAccess) {
+                                               $hasAccess = (bool)($CALC_PERMS & Permission::CONTENT_EDIT);
+                                       }
                                }
                                // Check internals regarding access
                                $isRootLevelRestrictionIgnored = BackendUtility::isRootLevelRestrictionIgnored($table);
@@ -729,6 +744,20 @@ class InlineRecordContainer extends AbstractContainer {
        }
 
        /**
+        * Check if the record is a media element on a page.
+        *
+        * @param string $theUid Uid of the sys_file_reference record to be checked
+        * @return bool TRUE if the record has media in the column 'fieldname' and pages in the column 'tablenames'
+        */
+       protected function isMediaOnPages($theUid) {
+               if (StringUtility::beginsWith($theUid, 'NEW')) {
+                       return TRUE;
+               }
+               $row = BackendUtility::getRecord('sys_file_reference', $theUid);
+               return ($row['fieldname'] === 'media') && ($row['tablenames'] === 'pages');
+       }
+
+       /**
         * @return BackendUserAuthentication
         */
        protected function getBackendUserAuthentication() {
index 11f9a7c..1c05788 100644 (file)
@@ -5982,7 +5982,15 @@ class DataHandler {
                }
 
                $res = FALSE;
-               $pageExists = (bool)$this->doesRecordExist('pages', $pid, ($insertTable === 'pages' ? $this->pMap['new'] : $this->pMap['editcontent']));
+               if ($insertTable === 'pages') {
+                       $perms = $this->pMap['new'];
+               // @todo: find a more generic way to handle content relations of a page (without needing content editing access to that page)
+               } elseif (($insertTable === 'sys_file_reference') && array_key_exists('pages', $this->datamap)) {
+                       $perms = $this->pMap['edit'];
+               } else {
+                       $perms = $this->pMap['editcontent'];
+               }
+               $pageExists = (bool)$this->doesRecordExist('pages', $pid, $perms);
                // If either admin and root-level or if page record exists and 1) if 'pages' you may create new ones 2) if page-content, new content items may be inserted on the $pid page
                if ($pageExists || $pid === 0 && ($this->admin || BackendUtility::isRootLevelRestrictionIgnored($insertTable))) {
                        // Check permissions
@@ -6061,7 +6069,11 @@ class DataHandler {
 
                                        case 'new':
                                                // This holds it all in case the record is not page!!
+                                       if ($table === 'sys_file_reference' && array_key_exists('pages', $this->datamap)) {
+                                               $perms = 'edit';
+                                       } else {
                                                $perms = 'editcontent';
+                                       }
                                                break;
                                }
                        }