Commit 3b0654fc authored by Helmut Hummel's avatar Helmut Hummel Committed by Markus Klein
Browse files

[BUGFIX] Show deleted page actions in record history

Because users have no access to deleted pages,
the access check always fails, leading to delete page
actions not being shown in the history despite being
properly tracked.

We now check this case and do a more lightweight check
so that we still have the permissions checked,
but can show deleted pages without disclosing unwanted
information.

Resolves: #45056
Releases: 7.6, 8.7, master
Change-Id: Id919a24651c18a351f9723e86610b525a4f4726c
Reviewed-on: https://review.typo3.org/54580


Reviewed-by: default avatarMathias Schreiber <mathias.schreiber@typo3.com>
Tested-by: default avatarMathias Schreiber <mathias.schreiber@typo3.com>
Tested-by: default avatarTYPO3com <no-reply@typo3.com>
Reviewed-by: Wouter Wolters's avatarWouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Markus Klein's avatarMarkus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein's avatarMarkus Klein <markus.klein@typo3.org>
parent f7cdd083
......@@ -333,6 +333,7 @@ class ElementHistoryController
$singleLine['title'] = $this->generateTitle($entry['tablename'], $entry['recuid']);
$singleLine['elementUrl'] = $this->buildUrl(['element' => $entry['tablename'] . ':' . $entry['recuid']]);
$singleLine['actiontype'] = $entry['actiontype'];
if ((int)$entry['actiontype'] === RecordHistoryStore::ACTION_MODIFY) {
// show changes
if (!$this->showDiff) {
......
......@@ -19,6 +19,7 @@ use TYPO3\CMS\Core\Database\ConnectionPool;
use TYPO3\CMS\Core\Database\Query\QueryBuilder;
use TYPO3\CMS\Core\DataHandling\DataHandler;
use TYPO3\CMS\Core\History\RecordHistoryStore;
use TYPO3\CMS\Core\Type\Bitmask\Permission;
use TYPO3\CMS\Core\Utility\GeneralUtility;
/**
......@@ -534,10 +535,27 @@ class RecordHistory
}
if (!isset($this->pageAccessCache[$pageId])) {
$this->pageAccessCache[$pageId] = BackendUtility::readPageAccess(
$pageId,
$this->getBackendUser()->getPagePermsClause(1)
);
$isDeletedPage = false;
if (isset($GLOBALS['TCA']['pages']['ctrl']['delete'])) {
$deletedField = $GLOBALS['TCA']['pages']['ctrl']['delete'];
$pageRecord = BackendUtility::getRecord('pages', $pageId, $deletedField, '', false);
$isDeletedPage = (bool)$pageRecord[$deletedField];
}
if ($isDeletedPage) {
// The page is deleted, so we fake its uid to be the one of the parent page.
// By doing so, the following API will use this id to traverse the rootline
// and check whether it is in the users' web mounts.
// We check however if the user has (or better had) access to the deleted page itself.
// Since the only way we got here is by requesting the history of the parent page
// we can be sure this parent page actually exists.
$pageRecord['uid'] = $pageRecord['pid'];
$this->pageAccessCache[$pageId] = $this->getBackendUser()->doesUserHaveAccess($pageRecord, Permission::PAGE_SHOW);
} else {
$this->pageAccessCache[$pageId] = BackendUtility::readPageAccess(
$pageId,
$this->getBackendUser()->getPagePermsClause(Permission::PAGE_SHOW)
);
}
}
return $this->pageAccessCache[$pageId] !== false;
......
......@@ -35,7 +35,7 @@
<f:if condition="{historyRow.originalBackendUserName}"> ({f:translate(key: 'LLL:EXT:backend/Resources/Private/Language/locallang_show_rechis.xlf:viaUser')} {historyRow.originalBackendUserName})</f:if>
</td>
<td>
<a href="{elementUrl}" title="{f:translate('LLL:EXT:backend/Resources/Private/Language/locallang_show_rechis.xlf:linkRecordHistory')}">{historyRow.title}</a>
<a href="{elementUrl}" title="{f:translate(id: 'LLL:EXT:backend/Resources/Private/Language/locallang_show_rechis.xlf:linkRecordHistory')}">{historyRow.title -> f:format.raw()}</a>
</td>
<td>
<f:switch expression="{historyRow.actiontype}">
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment