[BUGFIX] Respect editPanel.onlyCurrentPid = 1

When accessing the editPanel, the option "onlyCurrentPid" allows to also check the permissions of the editable record to verify if the user is allowed to edit it. When checking for CONTENT_EDIT permissions, the "onlyCurrentPid" is also evaluated now, having "mayEdit" set to false by default, before evaluating the condition further. Resolves: #43429 Releases: master, 9.5 Change-Id: I47ed7a7b8c0d1c750cd5b13b485ed14b3aced2dd Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/63616 Tested-by: TYPO3com <noreply@typo3.com> Tested-by: Daniel Siepmann <coding@daniel-siepmann.de> Tested-by: Benni Mack <benni@typo3.org> Reviewed-by: Susanne Moog <look@susi.dev> Reviewed-by: Benni Mack <benni@typo3.org>

[BUGFIX] Respect editPanel.onlyCurrentPid = 1
When accessing the editPanel, the option "onlyCurrentPid" allows to also check the permissions of the editable record to verify if the user is allowed to edit it. When checking for CONTENT_EDIT permissions, the "onlyCurrentPid" is also evaluated now, having "mayEdit" set to false by default, before evaluating the condition further. Resolves: #43429 Releases: master, 9.5 Change-Id: I47ed7a7b8c0d1c750cd5b13b485ed14b3aced2dd Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/63616 Tested-by: TYPO3com <noreply@typo3.com> Tested-by: Daniel Siepmann <coding@daniel-siepmann.de> Tested-by: Benni Mack <benni@typo3.org> Reviewed-by: Susanne Moog <look@susi.dev> Reviewed-by: Benni Mack <benni@typo3.org>
585287e9 · Benni Mack · 94d6369b · 585287e9
Commit 585287e9 authored 5 years ago by Benni Mack
--- a/typo3/sysext/backend/Classes/FrontendBackendUserAuthentication.php
+++ b/typo3/sysext/backend/Classes/FrontendBackendUserAuthentication.php
@@ -135,18 +135,22 @@ class FrontendBackendUserAuthentication extends BackendUserAuthentication
            $editAccessInternals = true;
        }
        if ($editAccessInternals) {
-            if ($table === 'pages') {
-                if ($this->isAdmin() || $this->doesUserHaveAccess($dataArray, Permission::PAGE_EDIT)) {
+            $restrictEditingToRecordsOfCurrentPid = !empty($conf['onlyCurrentPid'] ?? false);
+            if ($this->isAdmin()) {
+                $mayEdit = true;
+            } elseif ($table === 'pages') {
+                if ($this->doesUserHaveAccess($dataArray, Permission::PAGE_EDIT)) {
                    $mayEdit = true;
                }
            } else {
-                if ($this->isAdmin() || $this->doesUserHaveAccess(BackendUtility::getRecord('pages', $dataArray['pid']), Permission::CONTENT_EDIT)) {
+                $pageOfEditableRecord = BackendUtility::getRecord('pages', $dataArray['pid']);
+                if ($this->doesUserHaveAccess($pageOfEditableRecord, Permission::CONTENT_EDIT) && !$restrictEditingToRecordsOfCurrentPid) {
                    $mayEdit = true;
                }
            }
-            if (!$conf['onlyCurrentPid'] || $dataArray['pid'] == $GLOBALS['TSFE']->id) {
-                // Permissions:
-                $perms = $this->calcPerms($GLOBALS['TSFE']->page);
+            // Check the permission of the "pid" that should be accessed, if not disabled.
+            if (!$restrictEditingToRecordsOfCurrentPid || $dataArray['pid'] == $GLOBALS['TSFE']->id) {
+                // Permissions
                if ($table === 'pages') {
                    $allow = $this->getAllowedEditActions($table, $conf, $dataArray['pid']);
                    // Can only display editbox if there are options in the menu
@@ -154,6 +158,7 @@ class FrontendBackendUserAuthentication extends BackendUserAuthentication
                        $mayEdit = true;
                    }
                } else {
+                    $perms = $this->calcPerms($GLOBALS['TSFE']->page);
                    $types = GeneralUtility::trimExplode(',', strtolower($conf['allow']), true);
                    $allow = array_flip($types);
                    $mayEdit = !empty($allow) && $perms & Permission::CONTENT_EDIT;