From 953cb02f9e20f3c79c0641702955b4436fa64a98 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20E=C3=9Fl?= <indy.essl@gmail.com>
Date: Sat, 29 Feb 2020 17:39:56 +0100
Subject: [PATCH] [BUGFIX] Check if editor is allowed to drag-move pages in
pagetree
Before, editors could always use drag and drop to move pages in the
page tree, even if they were lacking the permissions to modify pages.
After trying to move a page, an error message would then be shown.
The following permission checks have now been added:
- Check if the editor is allowed to modify pages.
- Check if the editor is allowed to access the default language
The drag and drop feature is now only enabled, if these restrictions are
met. Admin users can use drag and drop in any cases.
Resolves: #25433
Releases: master, 9.5
Change-Id: If104dafa0e5293d698b384b05984642a188d1166
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/63514
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Daniel Goerz <daniel.goerz@posteo.de>
Tested-by: Susanne Moog <look@susi.dev>
Reviewed-by: Daniel Goerz <daniel.goerz@posteo.de>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Susanne Moog <look@susi.dev>
---
.../Classes/Controller/Page/TreeController.php | 13 +++++++++++++
.../Public/JavaScript/PageTree/PageTree.js | 2 +-
2 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/typo3/sysext/backend/Classes/Controller/Page/TreeController.php b/typo3/sysext/backend/Classes/Controller/Page/TreeController.php
index 685305ed91ac..c98f2912e031 100644
--- a/typo3/sysext/backend/Classes/Controller/Page/TreeController.php
+++ b/typo3/sysext/backend/Classes/Controller/Page/TreeController.php
@@ -116,6 +116,7 @@ class TreeController
{
$configuration = [
'allowRecursiveDelete' => !empty($this->getBackendUser()->uc['recursiveDelete']),
+ 'allowDragMove' => $this->isDragMoveAllowed(),
'doktypes' => $this->getDokTypes(),
'displayDeleteConfirmation' => $this->getBackendUser()->jsConfirmation(JsConfirmation::DELETE),
'temporaryMountPoint' => $this->getMountPointPath((int)($this->getBackendUser()->uc['pageTree_temporaryMountPoint'] ?? 0)),
@@ -507,6 +508,18 @@ class TreeController
return implode(' ', $classes);
}
+ /**
+ * Check if drag-move in the svg tree is allowed for the user
+ *
+ * @return bool
+ */
+ protected function isDragMoveAllowed(): bool
+ {
+ $backendUser = $this->getBackendUser();
+ return $backendUser->isAdmin()
+ || ($backendUser->check('tables_modify', 'pages') && $backendUser->checkLanguageAccess(0));
+ }
+
/**
* @return WorkspaceService
*/
diff --git a/typo3/sysext/backend/Resources/Public/JavaScript/PageTree/PageTree.js b/typo3/sysext/backend/Resources/Public/JavaScript/PageTree/PageTree.js
index 5d9f31ab1277..e08f5f67a004 100644
--- a/typo3/sysext/backend/Resources/Public/JavaScript/PageTree/PageTree.js
+++ b/typo3/sysext/backend/Resources/Public/JavaScript/PageTree/PageTree.js
@@ -66,7 +66,7 @@ define(['jquery',
return false;
}
- _this.settings.isDragAnDrop = true;
+ _this.settings.isDragAnDrop = settings.allowDragMove;
_this.dispatch.on('nodeSelectedAfter.pageTree', _this.nodeSelectedAfter);
_this.dispatch.on('nodeRightClick.pageTree', _this.nodeRightClick);
_this.dispatch.on('contextmenu.pageTree', _this.contextmenu);
--
GitLab