From: Michael Klapper <klapper@aoemedia.de>
Date: Thu, 9 Jun 2011 13:06:49 +0000 (+0200)
Subject: [BUGFIX] Editor see records without permissions on table
X-Git-Tag: TYPO3_6-2-0alpha1~18^2~142^2
X-Git-Url: http://git.typo3.org/Packages/TYPO3.CMS.git/commitdiff_plain/71d24bc400c0ed7b65cf72f8b33de83c6754205a

[BUGFIX] Editor see records without permissions on table

Change-Id: I55b8eed9a7b475040b6f842e9d8c94e60191c896
Resolves: #27325
Release: 4.6, 4.5
---

diff --git a/typo3/sysext/workspaces/Classes/Service/GridData.php b/typo3/sysext/workspaces/Classes/Service/GridData.php
index 3c63c694c024..536d88df9967 100644
--- a/typo3/sysext/workspaces/Classes/Service/GridData.php
+++ b/typo3/sysext/workspaces/Classes/Service/GridData.php
@@ -99,6 +99,7 @@ class tx_Workspaces_Service_GridData {
 
 			foreach ($versions as $table => $records) {
 				$versionArray = array('table' => $table);
+				$isRecordTypeAllowedToModify = $GLOBALS['BE_USER']->check('tables_modify', $table);
 
 				foreach ($records as $record) {
 
@@ -132,21 +133,21 @@ class tx_Workspaces_Service_GridData {
 					$versionArray['icon_Live'] = t3lib_iconWorks::mapRecordTypeToSpriteIconClass($table, $origRecord);
 					$versionArray['icon_Workspace'] = t3lib_iconWorks::mapRecordTypeToSpriteIconClass($table, $versionRecord);
 
-					$versionArray['allowedAction_nextStage'] = $stagesObj->isNextStageAllowedForUser($versionRecord['t3ver_stage']);
-					$versionArray['allowedAction_prevStage'] = $stagesObj->isPrevStageAllowedForUser($versionRecord['t3ver_stage']);
+					$versionArray['allowedAction_nextStage'] = $isRecordTypeAllowedToModify && $stagesObj->isNextStageAllowedForUser($versionRecord['t3ver_stage']);
+					$versionArray['allowedAction_prevStage'] = $isRecordTypeAllowedToModify && $stagesObj->isPrevStageAllowedForUser($versionRecord['t3ver_stage']);
 
 					if ($swapAccess && $swapStage != 0 && $versionRecord['t3ver_stage'] == $swapStage) {
-						$versionArray['allowedAction_swap'] = $stagesObj->isNextStageAllowedForUser($swapStage);
+						$versionArray['allowedAction_swap'] = $isRecordTypeAllowedToModify && $stagesObj->isNextStageAllowedForUser($swapStage);
 					} elseif ($swapAccess && $swapStage == 0) {
-						$versionArray['allowedAction_swap'] = TRUE;
+						$versionArray['allowedAction_swap'] = $isRecordTypeAllowedToModify;
 					} else {
 						$versionArray['allowedAction_swap'] = FALSE;
 					}
-					$versionArray['allowedAction_delete'] = TRUE;
+					$versionArray['allowedAction_delete'] = $isRecordTypeAllowedToModify;
 						// preview and editing of a deleted page won't work ;)
 					$versionArray['allowedAction_view'] = !$isDeletedPage && $viewUrl;
-					$versionArray['allowedAction_edit'] = !$isDeletedPage;
-					$versionArray['allowedAction_editVersionedPage'] = !$isDeletedPage;
+					$versionArray['allowedAction_edit'] = $isRecordTypeAllowedToModify && !$isDeletedPage;
+					$versionArray['allowedAction_editVersionedPage'] = $isRecordTypeAllowedToModify && !$isDeletedPage;
 
 					$versionArray['state_Workspace'] = $recordState;
 
diff --git a/typo3/sysext/workspaces/Classes/Service/Workspaces.php b/typo3/sysext/workspaces/Classes/Service/Workspaces.php
index c37d0eafcb68..e2fc593c118d 100644
--- a/typo3/sysext/workspaces/Classes/Service/Workspaces.php
+++ b/typo3/sysext/workspaces/Classes/Service/Workspaces.php
@@ -123,7 +123,7 @@ class tx_Workspaces_Service_Workspaces {
 			}
 
 				// Select all versions to swap:
-			$versions = $this->selectVersionsInWorkspace($wsid, 0, $stage, ($pageId ? $pageId : -1));
+			$versions = $this->selectVersionsInWorkspace($wsid, 0, $stage, ($pageId ? $pageId : -1), 0, 'tables_modify');
 
 				// Traverse the selection to build CMD array:
 			foreach ($versions as $table => $records) {
@@ -155,7 +155,7 @@ class tx_Workspaces_Service_Workspaces {
 			$stage = -99;
 
 				// Select all versions to swap:
-			$versions = $this->selectVersionsInWorkspace($wsid, 0, $stage, ($pageId ? $pageId : -1));
+			$versions = $this->selectVersionsInWorkspace($wsid, 0, $stage, ($pageId ? $pageId : -1), 0, 'tables_modify');
 
 				// Traverse the selection to build CMD array:
 			foreach ($versions as $table => $records) {
@@ -179,9 +179,10 @@ class tx_Workspaces_Service_Workspaces {
 	 * @param	integer		Stage filter: -99 means no filtering, otherwise it will be used to select only elements with that stage. For publishing, that would be "10"
 	 * @param	integer		Page id: Live page for which to find versions in workspace!
 	 * @param	integer		Recursion Level - select versions recursive - parameter is only relevant if $pageId != -1
+	 * @param	string		How to collect records for "listing" or "modify" these tables. Support the permissions of each type of record (@see t3lib_userAuthGroup::check).
 	 * @return	array		Array of all records uids etc. First key is table name, second key incremental integer. Records are associative arrays with uid, t3ver_oid and t3ver_swapmode fields. The pid of the online record is found as "livepid" the pid of the offline record is found in "wspid"
 	 */
-	public function selectVersionsInWorkspace($wsid, $filter = 0, $stage = -99, $pageId = -1, $recursionLevel = 0) {
+	public function selectVersionsInWorkspace($wsid, $filter = 0, $stage = -99, $pageId = -1, $recursionLevel = 0, $selectionType = 'tables_select') {
 
 		$wsid = intval($wsid);
 		$filter = intval($filter);
@@ -198,6 +199,12 @@ class tx_Workspaces_Service_Workspaces {
 
 			// Traversing all tables supporting versioning:
 		foreach ($GLOBALS['TCA'] as $table => $cfg) {
+
+				// we do not collect records from tables without permissions on them.
+			if (! $GLOBALS['BE_USER']->check($selectionType, $table)) {
+				continue;
+			}
+
 			if ($GLOBALS['TCA'][$table]['ctrl']['versioningWS']) {
 
 				$recs = $this->selectAllVersionsFromPages($table, $pageList, $wsid, $filter, $stage);