Task #56611: new reference error with non-admin user - Core - TYPO3 Forge

Core Indexed Search Linkvalidator Release Cycles Team Resources Workspaces & Versioning TYPO3 CMS Usability Team Community Extensions Distributions Feature-Requests TYPO3 6.2 Projects (+)(Archived Projects)

Task #56611

Epic #55070: Workpackages

Epic #55066: WP: Security enhancements

Story #56431: Use new wizard registration and remove wizard entry points

new reference error with non-admin user

Added by Philipp Wrann over 1 year ago. Updated over 1 year ago.

Status:

Resolved

Start date:

2014-03-06

Priority:

Must have

Due date:

Assigned To:

% Done:

100%

Category:

Backend API

Spent time:

1.50 hour

Target version:

next-patchlevel

TYPO3 Version:

6.2

Complexity:

easy

PHP Version:

5.3

Sprint Focus:

Description

When logging in with a non-admin user and trying to create a reference results in the error attached to this issue
i made sure all file permissions are checked for the group.

I am allready in production, please fix asap.

As admin user everything works as expected

screen.jpg (168.7 kB) Philipp Wrann, 2014-03-06 15:11

Associated revisions

Revision 11ea2044
Added by Helmut Hummel over 1 year ago

[BUGFIX] Remove superflous check in getModuleUrl

There is a check in getModuleUrl that checks
access rights to modules and returns false
if this is not the case.

However access rights are checked in each
module independently anyway.

So we remove this check here.

Resolves: #56611
Releases: 6.2
Change-Id: I63901cba3e882aab23de17929a461f08bd899cf1
Reviewed-on: https://review.typo3.org/28118
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

History

#1 Updated by Philipp Wrann over 1 year ago

You dont have the possibility to allow the module
wizard_element_browser

to a group

So its not possible to enable the element browser except for admin users

trace

1)
$moduleUrl = BackendUtility::getModuleUrl('wizard_element_browser') . '&mode=';

2)
if (!$GLOBALS['BE_USER']->check('modules', $moduleName)) {
return FALSE;
}

3)
if (isset($this->groupData[$type])) {
if ($this->isAdmin() || GeneralUtility::inList($this->groupData[$type], $value)) {
return TRUE;
}
}
return FALSE;

Either you dont return false if the key is no actual module OR you add the wizard_element_browser to the modList, i wouldnt do that, you allready have so much to configure for backend users to be actual able to do SOMEthing.

####
BTW:
when adding wizard_element_browser to the list of allowed modules (be_groups::groupsMods) you can workaround this bug.

#2 Updated by Markus Klein over 1 year ago

Category changed from File Abstraction Layer (FAL) to Backend API
Status changed from New to Accepted
Complexity changed from no-brainer to easy
Is Regression changed from No to Yes

#3 Updated by Gerrit Code Review over 1 year ago

Status changed from Accepted to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/28118

#4 Updated by Gerrit Code Review over 1 year ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/28118

#5 Updated by Helmut Hummel over 1 year ago

Status changed from Under Review to Resolved
% Done changed from 0 to 100

Applied in changeset 11ea20441bf58791bd9a266d118ebaff39622a66.

#6 Updated by Helmut Hummel over 1 year ago

Parent task set to #56431

Also available in: Atom PDF

Core

Issues

Custom queries

Watchers (3)