[TASK] Editors do not have rights to edit file metadata
authorSteffen Ritter <info@rs-websystems.de>
Mon, 3 Sep 2012 07:31:09 +0000 (09:31 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 6 Nov 2012 21:46:19 +0000 (22:46 +0100)
File records are stored in PID 0. In TYPO3 non-admins do not
have access to anything stored in PID 0. As FAL won't work
without granting access to file-meta-data for non-admins,

A new TCA control configuration allows to ignore those
permission restrictions for sys_file and sys_file_reference:

* TCA/<table>/ctrl/security/ignoreWebMountRestriction
  Allows users to access records that are not in their
  defined web-mount and by-passes this restriction..
* TCA/<table>/ctrl/security/ignoreRootLevelRestriction
  Allows users (non-admins) to access records that are
  stored on the root-level (page-id 0) and by-passes this
  restriction.

Change-Id: If92b07b0ba63a0d544a337ddf4f55973fafcd345
Fixes: #39805
Releases: 6.0
Reviewed-on: http://review.typo3.org/13658
Reviewed-by: Steffen Ritter
Tested-by: Steffen Ritter
Reviewed-by: Stefan Neufeind
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
t3lib/stddb/tables.php
typo3/sysext/backend/Classes/Controller/EditDocumentController.php
typo3/sysext/backend/Classes/Utility/BackendUtility.php
typo3/sysext/core/Classes/DataHandling/DataHandler.php

index 77d07a3..2d2a174 100644 (file)
@@ -415,6 +415,10 @@ $TCA['sys_file'] = array(
                        '5' => 'mimetypes-application',
                        'default' => 'mimetypes-other-other'
                ),
+               'security' => array(
+                       'ignoreWebMountRestriction' => TRUE,
+                       'ignoreRootLevelRestriction' => TRUE,
+               ),
                'dynamicConfigFile' => 'T3LIB:tca_sys_file.php'
        )
 );
@@ -446,6 +450,10 @@ $TCA['sys_file_reference'] = array(
                'enablecolumns' => array(
                        'disabled' => 'hidden'
                ),
+               'security' => array(
+                       'ignoreWebMountRestriction' => TRUE,
+                       'ignoreRootLevelRestriction' => TRUE,
+               ),
                'dynamicConfigFile' => 'T3LIB:tca_sys_file_reference.php'
        )
 );
index d3ff7b6..6e73742 100644 (file)
@@ -741,8 +741,7 @@ class EditDocumentController {
                                                                $calcPRec = \TYPO3\CMS\Backend\Utility\BackendUtility::getRecord($table, $theUid);
                                                                \TYPO3\CMS\Backend\Utility\BackendUtility::fixVersioningPid($table, $calcPRec);
                                                                if (is_array($calcPRec)) {
-                                                                       // If pages:
-                                                                       if ($table == 'pages') {
+                                                                       if ($table == 'pages') { // If pages:
                                                                                $CALC_PERMS = $GLOBALS['BE_USER']->calcPerms($calcPRec);
                                                                                $hasAccess = $CALC_PERMS & 2 ? 1 : 0;
                                                                                $deleteAccess = $CALC_PERMS & 4 ? 1 : 0;
@@ -759,7 +758,8 @@ class EditDocumentController {
                                                                                }
                                                                        }
                                                                        // Check internals regarding access:
-                                                                       if ($hasAccess) {
+                                                                       $isRootLevelRestrictionIgnored = \TYPO3\CMS\Backend\Utility\BackendUtility::isRootLevelRestrictionIgnored($table);
+                                                                       if ($hasAccess || (string) $calcPRec['pid'] === '0' && $isRootLevelRestrictionIgnored) {
                                                                                $hasAccess = $GLOBALS['BE_USER']->recordEditAccessInternals($table, $calcPRec);
                                                                                $deniedAccessReason = $GLOBALS['BE_USER']->errorMsg;
                                                                        }
index 6fa2976..599a44e 100644 (file)
@@ -4065,6 +4065,30 @@ class BackendUtility {
                return $configuration;
        }
 
+       /**
+        * Whether to ignore restrictions on a web-mount of a table.
+        * The regular behaviour is that records to be accessed need to be
+        * in a valid user's web-mount.
+        *
+        * @param string $table Name of the table
+        * @return boolean
+        */
+       static public function isWebMountRestrictionIgnored($table) {
+               return !empty($GLOBALS['TCA'][$table]['ctrl']['security']['ignoreWebMountRestriction']);
+       }
+
+       /**
+        * Whether to ignore restrictions on root-level records.
+        * The regular behaviour is that records on the root-level (page-id 0)
+        * only can be accessed by admin users.
+        *
+        * @param string $table Name of the table
+        * @return boolean
+        */
+       static public function isRootLevelRestrictionIgnored($table) {
+               return !empty($GLOBALS['TCA'][$table]['ctrl']['security']['ignoreRootLevelRestriction']);
+       }
+
 }
 
 
index c501057..26f6d18 100644 (file)
@@ -5154,7 +5154,8 @@ class DataHandler {
                        throw new \RuntimeException('Internal ERROR: no permissions to check for non-admin user', 1270853920);
                }
                // For all tables: Check if record exists:
-               if (is_array($GLOBALS['TCA'][$table]) && $id > 0 && ($this->isRecordInWebMount($table, $id) || $this->admin)) {
+               $isWebMountRestrictionIgnored = \TYPO3\CMS\Backend\Utility\BackendUtility::isWebMountRestrictionIgnored($table);
+               if (is_array($GLOBALS['TCA'][$table]) && $id > 0 && ($isWebMountRestrictionIgnored || $this->isRecordInWebMount($table, $id) || $this->admin)) {
                        if ($table != 'pages') {
                                // Find record without checking page:
                                $mres = $GLOBALS['TYPO3_DB']->exec_SELECTquery('uid,pid', $table, 'uid=' . intval($id) . $this->deleteClause($table));
@@ -5167,7 +5168,8 @@ class DataHandler {
                                        $mres = $this->doesRecordExist_pageLookUp($output['pid'], $perms);
                                        $pageRec = $GLOBALS['TYPO3_DB']->sql_fetch_assoc($mres);
                                        // Return TRUE if either a page was found OR if the PID is zero AND the user is ADMIN (in which case the record is at root-level):
-                                       if (is_array($pageRec) || !$output['pid'] && $this->admin) {
+                                       $isRootLevelRestrictionIgnored = \TYPO3\CMS\Backend\Utility\BackendUtility::isRootLevelRestrictionIgnored($table);
+                                       if (is_array($pageRec) || !$output['pid'] && ($isRootLevelRestrictionIgnored || $this->admin)) {
                                                return TRUE;
                                        }
                                }