Commit 4688014c authored by Jochen Roth's avatar Jochen Roth Committed by Oliver Bartsch
Browse files

[BUGFIX] Hide inline edit title button when user has no permissions

Currently the inline edit button is shown even though a
user does not have necessary edit permissions.

This has been fixed by adding the necessary checks.

As a side effect, the corresponding t3js class is no
longer added to the header for modules, not representing
an editable record title.

Resolves: #96030
Releases: master, 11.5
Change-Id: I630e97263a950cf00229ce0613e2c4d35a11425e
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/72233

Tested-by: core-ci's avatarcore-ci <typo3@b13.com>
Tested-by: Jochen's avatarJochen <rothjochen@gmail.com>
Tested-by: Nikita Hovratov's avatarNikita Hovratov <nikita.h@live.de>
Tested-by: Benni Mack's avatarBenni Mack <benni@typo3.org>
Tested-by: Oliver Bartsch's avatarOliver Bartsch <bo@cedev.de>
Reviewed-by: Jochen's avatarJochen <rothjochen@gmail.com>
Reviewed-by: Nikita Hovratov's avatarNikita Hovratov <nikita.h@live.de>
Reviewed-by: Benni Mack's avatarBenni Mack <benni@typo3.org>
Reviewed-by: Oliver Bartsch's avatarOliver Bartsch <bo@cedev.de>
parent b7374710
Pipeline #19844 passed with stages
in 52 minutes and 46 seconds
......@@ -817,7 +817,7 @@ class PageLayoutController
$this->buttonBar->addButton($clearCacheButton, ButtonBar::BUTTON_POSITION_RIGHT, 1);
// Edit page properties and page language overlay icons
if ($this->isPageEditable(0) && $this->getBackendUser()->check('tables_modify', 'pages')) {
if ($this->isPageEditable(0)) {
/** @var \TYPO3\CMS\Core\Http\NormalizedParams */
$normalizedParams = $request->getAttribute('normalizedParams');
// Edit localized pages only when one specific language is selected
......@@ -985,13 +985,22 @@ class PageLayoutController
*/
protected function isPageEditable(int $languageId): bool
{
if ($this->getBackendUser()->isAdmin()) {
if ($GLOBALS['TCA']['pages']['ctrl']['readOnly'] ?? false) {
return false;
}
$backendUser = $this->getBackendUser();
if ($backendUser->isAdmin()) {
return true;
}
if ($GLOBALS['TCA']['pages']['ctrl']['adminOnly'] ?? false) {
return false;
}
return !$this->pageinfo['editlock']
&& $this->getBackendUser()->doesUserHaveAccess($this->pageinfo, Permission::PAGE_EDIT)
&& $this->getBackendUser()->checkLanguageAccess($languageId);
return $this->pageinfo !== []
&& !(bool)($this->pageinfo[$GLOBALS['TCA']['pages']['ctrl']['editlock'] ?? null] ?? false)
&& $backendUser->doesUserHaveAccess($this->pageinfo, Permission::PAGE_EDIT)
&& $backendUser->checkLanguageAccess($languageId)
&& $backendUser->check('tables_modify', 'pages');
}
/**
......
......@@ -752,15 +752,16 @@ class ModuleTemplate
* Closes section if open.
*
* @param string $text The text string for the header
* @param bool $inlineEdit Whether the header should be editable (e.g. page title)
* @return string HTML content
* @internal
*/
public function header($text)
public function header(string $text, bool $inlineEdit = true)
{
return '
<!-- MAIN Header in page top -->
<h1 class="t3js-title-inlineedit">' . htmlspecialchars($text) . '</h1>
<h1 ' . ($inlineEdit ? 'class="t3js-title-inlineedit"' : '') . '>' . htmlspecialchars($text) . '</h1>
';
}
......
......@@ -217,7 +217,7 @@ class InfoModuleController
$this->content = $this->view->render();
} else {
// If no access or if ID == zero
$this->content = $this->moduleTemplate->header($this->getLanguageService()->getLL('title'));
$this->content = $this->moduleTemplate->header($this->getLanguageService()->getLL('title'), false);
}
$this->moduleTemplate->setTitle(
......
......@@ -237,7 +237,7 @@ class RecordListController
$title = $pageinfo['title'] ?? '';
}
$body = ImmediateActionElement::moduleStateUpdate('web', (int)$this->id);
$body .= $this->moduleTemplate->header($title);
$body .= $this->moduleTemplate->header($title, $this->isPageEditable());
// Additional header content
/** @var RenderAdditionalContentToRecordListEvent $additionalRecordListEvent */
......@@ -453,12 +453,7 @@ class RecordListController
}
// If edit permissions are set, see
// \TYPO3\CMS\Core\Authentication\BackendUserAuthentication
if (
$this->getBackendUserAuthentication()->check('tables_modify', 'pages')
&& $this->pagePermissions->editPagePermissionIsGranted()
&& $this->editLockPermissions()
&& $backendUser->checkLanguageAccess(0)
) {
if ($this->isPageEditable()) {
// Edit
$editLink = $this->uriBuilder->buildUriFromRoute('record_edit', [
'edit' => [
......@@ -725,4 +720,29 @@ class RecordListController
{
return $GLOBALS['LANG'];
}
/**
* Check if page can be edited by current user
*
* @return bool
*/
protected function isPageEditable(): bool
{
if ($GLOBALS['TCA']['pages']['ctrl']['readOnly'] ?? false) {
return false;
}
$backendUser = $this->getBackendUserAuthentication();
if ($backendUser->isAdmin()) {
return true;
}
if ($GLOBALS['TCA']['pages']['ctrl']['adminOnly'] ?? false) {
return false;
}
return $this->pageInfo !== []
&& $this->editLockPermissions()
&& $this->pagePermissions->editPagePermissionIsGranted()
&& $backendUser->checkLanguageAccess(0)
&& $backendUser->check('tables_modify', 'pages');
}
}
......@@ -370,7 +370,7 @@ class SetupModuleController
$uriBuilder = GeneralUtility::makeInstance(UriBuilder::class);
$this->content .= '<form action="' . $uriBuilder->buildUriFromRoute('user_setup') . '" method="post" id="SetupModuleController" name="usersetup" enctype="multipart/form-data">';
$this->content .= '<div id="user-setup-wrapper">';
$this->content .= $this->moduleTemplate->header($this->getLanguageService()->getLL('UserSettings'));
$this->content .= $this->moduleTemplate->header($this->getLanguageService()->getLL('UserSettings'), false);
$this->addFlashMessages();
$formToken = $this->formProtection->generateToken('BE user setup', 'edit');
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment