Task #56611

Epic #55070: Workpackages

Epic #55066: WP: Security enhancements

Story #56431: Use new wizard registration and remove wizard entry points

new reference error with non-admin user

Added by Philipp Wrann over 1 year ago. Updated over 1 year ago.

Status:Resolved Start date:2014-03-06
Priority:Must have Due date:
Assigned To:- % Done:

100%

Category:Backend API Spent time: 1.50 hour
Target version:next-patchlevel
TYPO3 Version:6.2 Complexity:easy
PHP Version:5.3 Sprint Focus:

Description

When logging in with a non-admin user and trying to create a reference results in the error attached to this issue
i made sure all file permissions are checked for the group.

I am allready in production, please fix asap.

As admin user everything works as expected

screen.jpg (168.7 kB) Philipp Wrann, 2014-03-06 15:11

Associated revisions

Revision 11ea2044
Added by Helmut Hummel over 1 year ago

[BUGFIX] Remove superflous check in getModuleUrl

There is a check in getModuleUrl that checks
access rights to modules and returns false
if this is not the case.

However access rights are checked in each
module independently anyway.

So we remove this check here.

Resolves: #56611
Releases: 6.2
Change-Id: I63901cba3e882aab23de17929a461f08bd899cf1
Reviewed-on: https://review.typo3.org/28118
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters

History

#1 Updated by Philipp Wrann over 1 year ago

You dont have the possibility to allow the module
wizard_element_browser

to a group

So its not possible to enable the element browser except for admin users

trace

1)
$moduleUrl = BackendUtility::getModuleUrl('wizard_element_browser') . '&mode=';

2)
if (!$GLOBALS['BE_USER']->check('modules', $moduleName)) {
return FALSE;
}

3)
if (isset($this->groupData[$type])) {
if ($this->isAdmin() || GeneralUtility::inList($this->groupData[$type], $value)) {
return TRUE;
}
}
return FALSE;

Either you dont return false if the key is no actual module OR you add the wizard_element_browser to the modList, i wouldnt do that, you allready have so much to configure for backend users to be actual able to do SOMEthing.

####
BTW:
when adding wizard_element_browser to the list of allowed modules (be_groups::groupsMods) you can workaround this bug.

#2 Updated by Markus Klein over 1 year ago

  • Category changed from File Abstraction Layer (FAL) to Backend API
  • Status changed from New to Accepted
  • Complexity changed from no-brainer to easy
  • Is Regression changed from No to Yes

#3 Updated by Gerrit Code Review over 1 year ago

  • Status changed from Accepted to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/28118

#4 Updated by Gerrit Code Review over 1 year ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/28118

#5 Updated by Helmut Hummel over 1 year ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

#6 Updated by Helmut Hummel over 1 year ago

  • Parent task set to #56431

Also available in: Atom PDF