From 7c3779ad157251fb3302addba32a6ab2291e199a Mon Sep 17 00:00:00 2001
From: Tymoteusz Motylewski <t.motylewski@gmail.com>
Date: Mon, 16 Oct 2017 17:38:11 +0200
Subject: [PATCH] [BUGFIX] Check permissions for page deletion in context menu

Resolves: #82777
Releases: master, 8.7
Change-Id: I080e9d47053665c51fdc7b46787cd32299bfaba9
Reviewed-on: https://review.typo3.org/55235
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Andreas Fernandez <typo3@scripting-base.de>
Tested-by: Andreas Fernandez <typo3@scripting-base.de>
Reviewed-by: Mathias Schreiber <mathias.schreiber@typo3.com>
Tested-by: Mathias Schreiber <mathias.schreiber@typo3.com>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
---
 .../ContextMenu/ItemProviders/PageProvider.php   |  3 ++-
 .../ContextMenu/ItemProviders/RecordProvider.php | 16 +++++++++++++---
 2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/typo3/sysext/backend/Classes/ContextMenu/ItemProviders/PageProvider.php b/typo3/sysext/backend/Classes/ContextMenu/ItemProviders/PageProvider.php
index b414ec1cec3a..efed92c2e7ef 100644
--- a/typo3/sysext/backend/Classes/ContextMenu/ItemProviders/PageProvider.php
+++ b/typo3/sysext/backend/Classes/ContextMenu/ItemProviders/PageProvider.php
@@ -366,10 +366,11 @@ class PageProvider extends RecordProvider
      *
      * @return bool
      */
-    protected function canBeRemoved(): bool
+    protected function canBeDeleted(): bool
     {
         return !$this->isDeletePlaceholder()
             && !$this->isRecordLocked()
+            && !$this->isDeletionDisabledInTS()
             && $this->hasPagePermission(Permission::PAGE_DELETE);
     }
 
diff --git a/typo3/sysext/backend/Classes/ContextMenu/ItemProviders/RecordProvider.php b/typo3/sysext/backend/Classes/ContextMenu/ItemProviders/RecordProvider.php
index 94b441671d2f..1d15c5ba812f 100644
--- a/typo3/sysext/backend/Classes/ContextMenu/ItemProviders/RecordProvider.php
+++ b/typo3/sysext/backend/Classes/ContextMenu/ItemProviders/RecordProvider.php
@@ -486,15 +486,25 @@ class RecordProvider extends AbstractProvider
     }
 
     /**
-     * Checks if the user has the right to delete the page
+     * Checks if disableDelete flag is set in TSConfig for the current table
      *
      * @return bool
      */
-    protected function canBeDeleted(): bool
+    protected function isDeletionDisabledInTS(): bool
     {
         $disableDeleteTS = $this->backendUser->getTSConfig('options.disableDelete');
         $disableDelete = (bool) trim($disableDeleteTS['properties'][$this->table] ?? (string)$disableDeleteTS['value']);
-        return !$disableDelete && $this->canBeEdited();
+        return $disableDelete;
+    }
+
+    /**
+     * Checks if the user has the right to delete the page
+     *
+     * @return bool
+     */
+    protected function canBeDeleted(): bool
+    {
+        return !$this->isDeletionDisabledInTS() && $this->canBeEdited();
     }
 
     /**
-- 
GitLab