[BUGFIX] Fixed permissions of media field in page properties 70/41670/4
authorMichael Oehlhof <typo3@oehlhof.de>
Wed, 1 Jul 2015 19:14:55 +0000 (21:14 +0200)
committerMarkus Klein <markus.klein@typo3.org>
Wed, 29 Jul 2015 16:44:23 +0000 (18:44 +0200)
It was not possible to add media to the page properties if the user has
only the permissions for "page edit" and not for "page content"..

Resolves: #66702
Releases: master, 6.2
Change-Id: I553ee805a0e992d2ea5e00b91e7de733b2e4c94e
Reviewed-on: http://review.typo3.org/41670
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
typo3/sysext/backend/Classes/Form/Element/InlineElement.php
typo3/sysext/core/Classes/DataHandling/DataHandler.php

index 142bb9c..72cd071 100644 (file)
@@ -655,6 +655,7 @@ class InlineElement {
                $tcaTableCtrl = &$GLOBALS['TCA'][$foreign_table]['ctrl'];
                $tcaTableCols = &$GLOBALS['TCA'][$foreign_table]['columns'];
                $isPagesTable = $foreign_table == 'pages' ? TRUE : FALSE;
+               $isSysFileReferenceTable = $foreign_table === 'sys_file_reference';
                $isOnSymmetricSide = RelationHandler::isOnSymmetricSide($parentUid, $config, $rec);
                $enableManualSorting = $tcaTableCtrl['sortby'] || $config['MM'] || !$isOnSymmetricSide && $config['foreign_sortby'] || $isOnSymmetricSide && $config['symmetric_sortby'] ? TRUE : FALSE;
                $nameObject = $this->inlineNames['object'];
@@ -662,6 +663,7 @@ class InlineElement {
                $nameObjectFtId = $nameObjectFt . self::Structure_Separator . $rec['uid'];
                $calcPerms = $GLOBALS['BE_USER']->calcPerms(BackendUtility::readPageAccess($rec['pid'], $GLOBALS['BE_USER']->getPagePermsClause(1)));
                // If the listed table is 'pages' we have to request the permission settings for each page:
+               $localCalcPerms = FALSE;
                if ($isPagesTable) {
                        $localCalcPerms = $GLOBALS['BE_USER']->calcPerms(BackendUtility::getRecord('pages', $rec['uid']));
                }
@@ -718,7 +720,10 @@ class InlineElement {
                                $cells['sort.down'] = '<a href="#" onclick="' . htmlspecialchars($onClick) . '" class="sortingDown" ' . $style . '>' . IconUtility::getSpriteIcon('actions-move-down', array('title' => $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_mod_web_list.xlf:moveDown', TRUE))) . '</a>';
                        }
                        // "Delete" link:
-                       if ($enabledControls['delete'] && ($isPagesTable && $localCalcPerms & 4 || !$isPagesTable && $calcPerms & 16)) {
+                       if ($enabledControls['delete'] && ($isPagesTable && $localCalcPerms & 4
+                               || !$isPagesTable && $calcPerms & 16
+                               || $isSysFileReferenceTable && $calcPerms & 2)) {
+
                                $onClick = 'inline.deleteRecord(\'' . $nameObjectFtId . '\');';
                                $cells['delete'] = '<a href="#" onclick="' . htmlspecialchars(('if (confirm(' . GeneralUtility::quoteJSvalue($GLOBALS['LANG']->getLL('deleteWarning')) . ')) {  ' . $onClick . ' } return false;')) . '">' . IconUtility::getSpriteIcon('actions-edit-delete', array('title' => $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_mod_web_list.xlf:delete', TRUE))) . '</a>';
                        }
@@ -2118,6 +2123,14 @@ class InlineElement {
                                } else {
                                        // Are we allowed to edit content on this page?
                                        $hasAccess = $CALC_PERMS & 16 ? 1 : 0;
+                                       // Are we allowed to edit the page?
+                                       if ($table === 'sys_file_reference' && $this->isMediaOnPages($theUid)) {
+                                               $hasAccess = (bool)($CALC_PERMS & 2);
+                                       }
+                                       if (!$hasAccess) {
+                                               // Are we allowed to edit content on this page?
+                                               $hasAccess = (bool)($CALC_PERMS & 16);
+                                       }
                                }
                        } else {
                                $hasAccess = 1;
@@ -2134,7 +2147,12 @@ class InlineElement {
                                } else {
                                        // Fetching pid-record first.
                                        $CALC_PERMS = $GLOBALS['BE_USER']->calcPerms(BackendUtility::getRecord('pages', $calcPRec['pid']));
-                                       $hasAccess = $CALC_PERMS & 16 ? 1 : 0;
+                                       if ($table === 'sys_file_reference' && $this->isMediaOnPages($theUid)) {
+                                               $hasAccess = (bool)($CALC_PERMS & 2);
+                                       }
+                                       if (!$hasAccess) {
+                                               $hasAccess = (bool)($CALC_PERMS & 16);
+                                       }
                                }
                                // Check internals regarding access:
                                $isRootLevelRestrictionIgnored = BackendUtility::isRootLevelRestrictionIgnored($table);
@@ -2658,6 +2676,20 @@ class InlineElement {
        }
 
        /**
+        * Check if the record is a media element on a page.
+        *
+        * @param string $theUid Uid of the sys_file_reference record to be checked
+        * @return bool TRUE if the record has media in the column 'fieldname' and pages in the column 'tablenames'
+        */
+       protected function isMediaOnPages($theUid) {
+               if (strpos($theUid, 'NEW') === 0) {
+                       return TRUE;
+               }
+               $row = BackendUtility::getRecord('sys_file_reference', $theUid);
+               return ($row['fieldname'] === 'media') && ($row['tablenames'] === 'pages');
+       }
+
+       /**
         * @return LanguageService
         */
        protected function getLanguageService() {
index 2813798..4a90c93 100644 (file)
@@ -5610,7 +5610,15 @@ class DataHandler {
                }
 
                $res = FALSE;
-               $pageExists = (bool)$this->doesRecordExist('pages', $pid, ($insertTable === 'pages' ? $this->pMap['new'] : $this->pMap['editcontent']));
+               if ($insertTable === 'pages') {
+                       $perms = $this->pMap['new'];
+               // @todo: find a more generic way to handle content relations of a page (without needing content editing access to that page)
+               } elseif (($insertTable === 'sys_file_reference') && array_key_exists('pages', $this->datamap)) {
+                       $perms = $this->pMap['edit'];
+               } else {
+                       $perms = $this->pMap['editcontent'];
+               }
+               $pageExists = (bool)$this->doesRecordExist('pages', $pid, $perms);
                // If either admin and root-level or if page record exists and 1) if 'pages' you may create new ones 2) if page-content, new content items may be inserted on the $pid page
                if ($pageExists || $pid === 0 && ($this->admin || BackendUtility::isRootLevelRestrictionIgnored($insertTable))) {
                        // Check permissions
@@ -5691,7 +5699,11 @@ class DataHandler {
 
                                        case 'new':
                                                // This holds it all in case the record is not page!!
+                                       if ($table === 'sys_file_reference' && array_key_exists('pages', $this->datamap)) {
+                                               $perms = 'edit';
+                                       } else {
                                                $perms = 'editcontent';
+                                       }
                                                break;
                                }
                        }