Commit a1b10c5b authored by Michael Oehlhof's avatar Michael Oehlhof Committed by Andreas Wolf
Browse files

[BUGFIX] Fixed permissions of media field in page properties

It was not possible to add media to the page properties if the user has
only the permissions for "page edit" and not for "page content"..

Resolves: #66702
Releases: master, 6.2
Change-Id: I553ee805a0e992d2ea5e00b91e7de733b2e4c94e
Reviewed-on: http://review.typo3.org/40835

Reviewed-by: default avatarSusanne Moog <typo3@susannemoog.de>
Tested-by: default avatarSusanne Moog <typo3@susannemoog.de>
Reviewed-by: default avatarMarkus Sommer <markussom@posteo.de>
Tested-by: default avatarMarkus Sommer <markussom@posteo.de>
Reviewed-by: Andreas Wolf's avatarAndreas Wolf <andreas.wolf@typo3.org>
Tested-by: Andreas Wolf's avatarAndreas Wolf <andreas.wolf@typo3.org>
parent 3e2d72d3
......@@ -22,6 +22,7 @@ use TYPO3\CMS\Core\Resource\ResourceFactory;
use TYPO3\CMS\Core\Utility\MathUtility;
use TYPO3\CMS\Core\Utility\GeneralUtility;
use TYPO3\CMS\Core\Authentication\BackendUserAuthentication;
use TYPO3\CMS\Core\Utility\StringUtility;
use TYPO3\CMS\Lang\LanguageService;
use TYPO3\CMS\Backend\Utility\IconUtility;
use TYPO3\CMS\Core\Type\Bitmask\Permission;
......@@ -430,6 +431,7 @@ class InlineRecordContainer extends AbstractContainer {
$tcaTableCtrl = &$GLOBALS['TCA'][$foreign_table]['ctrl'];
$tcaTableCols = &$GLOBALS['TCA'][$foreign_table]['columns'];
$isPagesTable = $foreign_table === 'pages';
$isSysFileReferenceTable = $foreign_table === 'sys_file_reference';
$isOnSymmetricSide = RelationHandler::isOnSymmetricSide($parentUid, $config, $rec);
$enableManualSorting = $tcaTableCtrl['sortby'] || $config['MM'] || !$isOnSymmetricSide && $config['foreign_sortby'] || $isOnSymmetricSide && $config['symmetric_sortby'];
$nameObject = $this->inlineStackProcessor->getCurrentStructureDomObjectIdPrefix($this->globalOptions['inlineFirstPid']);
......@@ -527,7 +529,9 @@ class InlineRecordContainer extends AbstractContainer {
}
}
// "Delete" link:
if ($enabledControls['delete'] && ($isPagesTable && $localCalcPerms & Permission::PAGE_DELETE || !$isPagesTable && $calcPerms & Permission::CONTENT_EDIT)) {
if ($enabledControls['delete'] && ($isPagesTable && $localCalcPerms & Permission::PAGE_DELETE
|| !$isPagesTable && $calcPerms & Permission::CONTENT_EDIT
|| $isSysFileReferenceTable && $calcPerms & Permission::PAGE_EDIT)) {
$onClick = 'inline.deleteRecord(' . GeneralUtility::quoteJSvalue($nameObjectFtId) . ');';
$cells['delete'] = '
<a class="btn btn-default" href="#" onclick="' . htmlspecialchars(('if (confirm(' . GeneralUtility::quoteJSvalue($languageService->getLL('deleteWarning')) . ')) { ' . $onClick . ' } return false;')) . '">
......@@ -622,8 +626,14 @@ class InlineRecordContainer extends AbstractContainer {
// Are we allowed to create new subpages?
$hasAccess = (bool)($CALC_PERMS & Permission::PAGE_NEW);
} else {
// Are we allowed to edit content on this page?
$hasAccess = (bool)($CALC_PERMS & Permission::CONTENT_EDIT);
// Are we allowed to edit the page?
if ($table === 'sys_file_reference' && $this->isMediaOnPages($theUid)) {
$hasAccess = (bool)($CALC_PERMS & Permission::PAGE_EDIT);
}
if (!$hasAccess) {
// Are we allowed to edit content on this page?
$hasAccess = (bool)($CALC_PERMS & Permission::CONTENT_EDIT);
}
}
} else {
$hasAccess = TRUE;
......@@ -640,7 +650,12 @@ class InlineRecordContainer extends AbstractContainer {
} else {
// Fetching pid-record first.
$CALC_PERMS = $backendUser->calcPerms(BackendUtility::getRecord('pages', $calcPRec['pid']));
$hasAccess = (bool)($CALC_PERMS & Permission::CONTENT_EDIT);
if ($table === 'sys_file_reference' && $this->isMediaOnPages($theUid)) {
$hasAccess = (bool)($CALC_PERMS & Permission::PAGE_EDIT);
}
if (!$hasAccess) {
$hasAccess = (bool)($CALC_PERMS & Permission::CONTENT_EDIT);
}
}
// Check internals regarding access
$isRootLevelRestrictionIgnored = BackendUtility::isRootLevelRestrictionIgnored($table);
......@@ -728,6 +743,20 @@ class InlineRecordContainer extends AbstractContainer {
}
}
/**
* Check if the record is a media element on a page.
*
* @param string $theUid Uid of the sys_file_reference record to be checked
* @return bool TRUE if the record has media in the column 'fieldname' and pages in the column 'tablenames'
*/
protected function isMediaOnPages($theUid) {
if (StringUtility::beginsWith($theUid, 'NEW')) {
return TRUE;
}
$row = BackendUtility::getRecord('sys_file_reference', $theUid);
return ($row['fieldname'] === 'media') && ($row['tablenames'] === 'pages');
}
/**
* @return BackendUserAuthentication
*/
......
......@@ -5982,7 +5982,15 @@ class DataHandler {
}
$res = FALSE;
$pageExists = (bool)$this->doesRecordExist('pages', $pid, ($insertTable === 'pages' ? $this->pMap['new'] : $this->pMap['editcontent']));
if ($insertTable === 'pages') {
$perms = $this->pMap['new'];
// @todo: find a more generic way to handle content relations of a page (without needing content editing access to that page)
} elseif (($insertTable === 'sys_file_reference') && array_key_exists('pages', $this->datamap)) {
$perms = $this->pMap['edit'];
} else {
$perms = $this->pMap['editcontent'];
}
$pageExists = (bool)$this->doesRecordExist('pages', $pid, $perms);
// If either admin and root-level or if page record exists and 1) if 'pages' you may create new ones 2) if page-content, new content items may be inserted on the $pid page
if ($pageExists || $pid === 0 && ($this->admin || BackendUtility::isRootLevelRestrictionIgnored($insertTable))) {
// Check permissions
......@@ -6061,7 +6069,11 @@ class DataHandler {
case 'new':
// This holds it all in case the record is not page!!
if ($table === 'sys_file_reference' && array_key_exists('pages', $this->datamap)) {
$perms = 'edit';
} else {
$perms = 'editcontent';
}
break;
}
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment