From: Michael Klapper Date: Thu, 9 Jun 2011 13:06:49 +0000 (+0200) Subject: [BUGFIX] Editor see records without permissions on table X-Git-Tag: TYPO3_6-2-0alpha1~18^2~142^2 X-Git-Url: http://git.typo3.org/Packages/TYPO3.CMS.git/commitdiff_plain/71d24bc400c0ed7b65cf72f8b33de83c6754205a [BUGFIX] Editor see records without permissions on table Change-Id: I55b8eed9a7b475040b6f842e9d8c94e60191c896 Resolves: #27325 Release: 4.6, 4.5 --- diff --git a/typo3/sysext/workspaces/Classes/Service/GridData.php b/typo3/sysext/workspaces/Classes/Service/GridData.php index 3c63c694c024..536d88df9967 100644 --- a/typo3/sysext/workspaces/Classes/Service/GridData.php +++ b/typo3/sysext/workspaces/Classes/Service/GridData.php @@ -99,6 +99,7 @@ class tx_Workspaces_Service_GridData { foreach ($versions as $table => $records) { $versionArray = array('table' => $table); + $isRecordTypeAllowedToModify = $GLOBALS['BE_USER']->check('tables_modify', $table); foreach ($records as $record) { @@ -132,21 +133,21 @@ class tx_Workspaces_Service_GridData { $versionArray['icon_Live'] = t3lib_iconWorks::mapRecordTypeToSpriteIconClass($table, $origRecord); $versionArray['icon_Workspace'] = t3lib_iconWorks::mapRecordTypeToSpriteIconClass($table, $versionRecord); - $versionArray['allowedAction_nextStage'] = $stagesObj->isNextStageAllowedForUser($versionRecord['t3ver_stage']); - $versionArray['allowedAction_prevStage'] = $stagesObj->isPrevStageAllowedForUser($versionRecord['t3ver_stage']); + $versionArray['allowedAction_nextStage'] = $isRecordTypeAllowedToModify && $stagesObj->isNextStageAllowedForUser($versionRecord['t3ver_stage']); + $versionArray['allowedAction_prevStage'] = $isRecordTypeAllowedToModify && $stagesObj->isPrevStageAllowedForUser($versionRecord['t3ver_stage']); if ($swapAccess && $swapStage != 0 && $versionRecord['t3ver_stage'] == $swapStage) { - $versionArray['allowedAction_swap'] = $stagesObj->isNextStageAllowedForUser($swapStage); + $versionArray['allowedAction_swap'] = $isRecordTypeAllowedToModify && $stagesObj->isNextStageAllowedForUser($swapStage); } elseif ($swapAccess && $swapStage == 0) { - $versionArray['allowedAction_swap'] = TRUE; + $versionArray['allowedAction_swap'] = $isRecordTypeAllowedToModify; } else { $versionArray['allowedAction_swap'] = FALSE; } - $versionArray['allowedAction_delete'] = TRUE; + $versionArray['allowedAction_delete'] = $isRecordTypeAllowedToModify; // preview and editing of a deleted page won't work ;) $versionArray['allowedAction_view'] = !$isDeletedPage && $viewUrl; - $versionArray['allowedAction_edit'] = !$isDeletedPage; - $versionArray['allowedAction_editVersionedPage'] = !$isDeletedPage; + $versionArray['allowedAction_edit'] = $isRecordTypeAllowedToModify && !$isDeletedPage; + $versionArray['allowedAction_editVersionedPage'] = $isRecordTypeAllowedToModify && !$isDeletedPage; $versionArray['state_Workspace'] = $recordState; diff --git a/typo3/sysext/workspaces/Classes/Service/Workspaces.php b/typo3/sysext/workspaces/Classes/Service/Workspaces.php index c37d0eafcb68..e2fc593c118d 100644 --- a/typo3/sysext/workspaces/Classes/Service/Workspaces.php +++ b/typo3/sysext/workspaces/Classes/Service/Workspaces.php @@ -123,7 +123,7 @@ class tx_Workspaces_Service_Workspaces { } // Select all versions to swap: - $versions = $this->selectVersionsInWorkspace($wsid, 0, $stage, ($pageId ? $pageId : -1)); + $versions = $this->selectVersionsInWorkspace($wsid, 0, $stage, ($pageId ? $pageId : -1), 0, 'tables_modify'); // Traverse the selection to build CMD array: foreach ($versions as $table => $records) { @@ -155,7 +155,7 @@ class tx_Workspaces_Service_Workspaces { $stage = -99; // Select all versions to swap: - $versions = $this->selectVersionsInWorkspace($wsid, 0, $stage, ($pageId ? $pageId : -1)); + $versions = $this->selectVersionsInWorkspace($wsid, 0, $stage, ($pageId ? $pageId : -1), 0, 'tables_modify'); // Traverse the selection to build CMD array: foreach ($versions as $table => $records) { @@ -179,9 +179,10 @@ class tx_Workspaces_Service_Workspaces { * @param integer Stage filter: -99 means no filtering, otherwise it will be used to select only elements with that stage. For publishing, that would be "10" * @param integer Page id: Live page for which to find versions in workspace! * @param integer Recursion Level - select versions recursive - parameter is only relevant if $pageId != -1 + * @param string How to collect records for "listing" or "modify" these tables. Support the permissions of each type of record (@see t3lib_userAuthGroup::check). * @return array Array of all records uids etc. First key is table name, second key incremental integer. Records are associative arrays with uid, t3ver_oid and t3ver_swapmode fields. The pid of the online record is found as "livepid" the pid of the offline record is found in "wspid" */ - public function selectVersionsInWorkspace($wsid, $filter = 0, $stage = -99, $pageId = -1, $recursionLevel = 0) { + public function selectVersionsInWorkspace($wsid, $filter = 0, $stage = -99, $pageId = -1, $recursionLevel = 0, $selectionType = 'tables_select') { $wsid = intval($wsid); $filter = intval($filter); @@ -198,6 +199,12 @@ class tx_Workspaces_Service_Workspaces { // Traversing all tables supporting versioning: foreach ($GLOBALS['TCA'] as $table => $cfg) { + + // we do not collect records from tables without permissions on them. + if (! $GLOBALS['BE_USER']->check($selectionType, $table)) { + continue; + } + if ($GLOBALS['TCA'][$table]['ctrl']['versioningWS']) { $recs = $this->selectAllVersionsFromPages($table, $pageList, $wsid, $filter, $stage);