Commit ab5c62d6 authored by Georg Ringer's avatar Georg Ringer Committed by Oliver Bartsch
Browse files

[BUGFIX] Show edit options only if editor got access

Check table select/modify options before rendering the action/button.

Resolves: #89240
Related: #90178
Releases: master
Change-Id: I47cc5a4a5910a0fc18ce1f6e72abccf7cca3673a
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/63245

Tested-by: core-ci's avatarcore-ci <typo3@b13.com>
Tested-by: Benni Mack's avatarBenni Mack <benni@typo3.org>
Tested-by: Sybille Peters's avatarSybille Peters <sypets@gmx.de>
Tested-by: Oliver Bartsch's avatarOliver Bartsch <bo@cedev.de>
Reviewed-by: Benni Mack's avatarBenni Mack <benni@typo3.org>
Reviewed-by: Oliver Bartsch's avatarOliver Bartsch <bo@cedev.de>
parent 9fccd106
......@@ -296,6 +296,9 @@ class PageProvider extends RecordProvider
) {
return false;
}
if (!$this->backendUser->check('tables_modify', $this->table)) {
return false;
}
return $this->hasPagePermission(Permission::PAGE_NEW);
}
......@@ -321,6 +324,9 @@ class PageProvider extends RecordProvider
if (isset($GLOBALS['TCA'][$this->table]['ctrl']['adminOnly']) && $GLOBALS['TCA'][$this->table]['ctrl']['adminOnly']) {
return false;
}
if (!$this->backendUser->check('tables_modify', $this->table)) {
return false;
}
return !$this->isRecordLocked() && $this->hasPagePermission(Permission::PAGE_EDIT);
}
......@@ -349,6 +355,9 @@ class PageProvider extends RecordProvider
) {
return false;
}
if (!$this->backendUser->check('tables_modify', $this->table)) {
return false;
}
return !$this->isWebMount()
&& $this->canBeEdited()
&& !$this->isDeletePlaceholder();
......@@ -369,6 +378,9 @@ class PageProvider extends RecordProvider
) {
return false;
}
if (!$this->backendUser->check('tables_select', $this->table)) {
return false;
}
return !$this->isRoot()
&& !$this->isWebMount()
&& !$this->isRecordInClipboard('copy')
......@@ -602,6 +614,7 @@ class PageProvider extends RecordProvider
if (!empty($GLOBALS['TCA'][$this->table]['columns'][$fieldName]['exclude'])
&& $this->record['doktype'] <= PageRepository::DOKTYPE_SPACER
&& $this->backendUser->check('non_exclude_fields', $this->table . ':' . $fieldName)
&& $this->backendUser->check('tables_modify', $this->table)
) {
return (int)$this->record[$fieldName] === $value;
}
......
......@@ -817,7 +817,7 @@ class PageLayoutController
$this->buttonBar->addButton($clearCacheButton, ButtonBar::BUTTON_POSITION_RIGHT, 1);
// Edit page properties and page language overlay icons
if ($this->isPageEditable(0)) {
if ($this->isPageEditable(0) && $this->getBackendUser()->check('tables_modify', 'pages')) {
/** @var \TYPO3\CMS\Core\Http\NormalizedParams */
$normalizedParams = $request->getAttribute('normalizedParams');
// Edit localized pages only when one specific language is selected
......
......@@ -256,7 +256,12 @@ class PageInformationController
// Traverse fields (as set above) in order to create header values:
foreach ($this->fieldArray as $field) {
$editButton = '';
if ($editIdList && isset($GLOBALS['TCA']['pages']['columns'][$field]) && $field !== 'uid') {
if (
$editIdList
&& isset($GLOBALS['TCA']['pages']['columns'][$field]) && $field !== 'uid'
&& $this->getBackendUser()->check('tables_modify', 'pages')
&& $this->getBackendUser()->check('non_exclude_fields', 'pages:' . $field)
) {
$iTitle = sprintf(
$lang->sL('LLL:EXT:backend/Resources/Private/Language/locallang_layout.xlf:editThisColumn'),
rtrim(trim($lang->sL(BackendUtility::getItemLabel('pages', $field))), ':')
......@@ -446,11 +451,14 @@ class PageInformationController
htmlspecialchars($this->getLanguageService()->sL('LLL:EXT:core/Resources/Private/Language/locallang_core.xlf:labels.showPage')) . '">' .
$this->iconFactory->getIcon('actions-view-page', Icon::SIZE_SMALL)->render() .
'</a>';
$editButton .=
'<a class="btn btn-default" href="' . htmlspecialchars($url) . '" title="' .
htmlspecialchars($this->getLanguageService()->sL('LLL:EXT:backend/Resources/Private/Language/locallang_layout.xlf:editDefaultLanguagePage')) . '">' .
$this->iconFactory->getIcon('actions-page-open', Icon::SIZE_SMALL)->render() .
'</a>';
if ($this->getBackendUser()->check('tables_modify', 'pages')) {
$editButton .=
'<a class="btn btn-default" href="' . htmlspecialchars($url) . '" title="' .
htmlspecialchars($this->getLanguageService()->sL('LLL:EXT:backend/Resources/Private/Language/locallang_layout.xlf:editDefaultLanguagePage')) . '">' .
$this->iconFactory->getIcon('actions-page-open', Icon::SIZE_SMALL)->render() .
'</a>';
}
}
// Since the uid is overwritten with the edit button markup we need to store
// the actual uid to be able to add it as data attribute to the table data cell.
......
......@@ -229,10 +229,12 @@ class TranslationStatusController
$info = '<a href="#" ' . $previewUriBuilder->serializeDispatcherAttributes()
. ' class="btn btn-default" title="' . $lang->sL('LLL:EXT:info/Resources/Private/Language/locallang_webinfo.xlf:lang_renderl10n_viewPage') . '">' .
$this->iconFactory->getIcon('actions-view-page', Icon::SIZE_SMALL)->render() . '</a>';
$info .= '<a href="' . htmlspecialchars($editUrl)
. '" class="btn btn-default" title="' . $lang->sL(
'LLL:EXT:info/Resources/Private/Language/locallang_webinfo.xlf:lang_renderl10n_editDefaultLanguagePage'
) . '">' . $this->iconFactory->getIcon('actions-page-open', Icon::SIZE_SMALL)->render() . '</a>';
if ($this->getBackendUser()->check('tables_modify', 'pages')) {
$info .= '<a href="' . htmlspecialchars($editUrl)
. '" class="btn btn-default" title="' . $lang->sL(
'LLL:EXT:info/Resources/Private/Language/locallang_webinfo.xlf:lang_renderl10n_editDefaultLanguagePage'
) . '">' . $this->iconFactory->getIcon('actions-page-open', Icon::SIZE_SMALL)->render() . '</a>';
}
$info .= '&nbsp;';
$info .= $pageTranslationVisibility->shouldBeHiddenInDefaultLanguage() ? '<span title="' . htmlspecialchars($lang->sL('LLL:EXT:frontend/Resources/Private/Language/locallang_tca.xlf:pages.l18n_cfg.I.1')) . '">D</span>' : '&nbsp;';
$info .= $pageTranslationVisibility->shouldHideTranslationIfNoTranslatedRecordExists() ? '<span title="' . htmlspecialchars($lang->sL('LLL:EXT:frontend/Resources/Private/Language/locallang_tca.xlf:pages.l18n_cfg.I.2')) . '">N</span>' : '&nbsp;';
......@@ -320,7 +322,7 @@ class TranslationStatusController
// Put together HEADER:
$headerCells = [];
$headerCells[] = '<th>' . $lang->sL('LLL:EXT:info/Resources/Private/Language/locallang_webinfo.xlf:lang_renderl10n_page') . '</th>';
if (is_array($langRecUids[0])) {
if ($this->getBackendUser()->check('tables_modify', 'pages') && is_array($langRecUids[0])) {
$editUrl = (string)$this->uriBuilder->buildUriFromRoute('record_edit', [
'edit' => [
'pages' => [
......
......@@ -454,7 +454,12 @@ class RecordListController
}
// If edit permissions are set, see
// \TYPO3\CMS\Core\Authentication\BackendUserAuthentication
if ($this->pagePermissions->editPagePermissionIsGranted() && $this->editLockPermissions() && $backendUser->checkLanguageAccess(0)) {
if (
$this->getBackendUserAuthentication()->check('tables_modify', 'pages')
&& $this->pagePermissions->editPagePermissionIsGranted()
&& $this->editLockPermissions()
&& $backendUser->checkLanguageAccess(0)
) {
// Edit
$editLink = $this->uriBuilder->buildUriFromRoute('record_edit', [
'edit' => [
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment