From c644b2be7bc91b6de9a41d7f341361882139aa8d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20E=C3=9Fl?= <indy.essl@gmail.com>
Date: Fri, 27 Mar 2020 13:58:31 +0100
Subject: [PATCH] [BUGFIX] Respect access restrictions for inline editing in
 pagetree

Do not show the inline edit form, when double clicking the title in
the pagetree, if the editor has no access permissions to the default
language or is not allowed to modify a page.

Resolves: #90855
Releases: master, 9.5
Change-Id: I51b34451043ce7abeb73250ea050bc084c23647b
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/63952
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Susanne Moog <look@susi.dev>
Tested-by: Daniel Goerz <daniel.goerz@posteo.de>
Reviewed-by: Susanne Moog <look@susi.dev>
Reviewed-by: Daniel Goerz <daniel.goerz@posteo.de>
---
 .../backend/Classes/Controller/Page/TreeController.php      | 6 +++++-
 .../Resources/Public/JavaScript/PageTree/PageTree.js        | 4 ++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/typo3/sysext/backend/Classes/Controller/Page/TreeController.php b/typo3/sysext/backend/Classes/Controller/Page/TreeController.php
index d5c6fda57a58..2e08c1bc5cb0 100644
--- a/typo3/sysext/backend/Classes/Controller/Page/TreeController.php
+++ b/typo3/sysext/backend/Classes/Controller/Page/TreeController.php
@@ -239,6 +239,7 @@ class TreeController
      */
     protected function pagesToFlatArray(array $page, int $entryPoint, int $depth = 0, array $inheritedData = []): array
     {
+        $backendUser = $this->getBackendUser();
         $pageId = (int)$page['uid'];
         if (in_array($pageId, $this->hiddenRecords, true)) {
             return [];
@@ -295,7 +296,10 @@ class TreeController
             'workspaceId' => !empty($page['t3ver_oid']) ? $page['t3ver_oid'] : $pageId,
             'siblingsCount' => $page['siblingsCount'] ?? 1,
             'siblingsPosition' => $page['siblingsPosition'] ?? 1,
-            'allowDelete' => $this->getBackendUser()->doesUserHaveAccess($page, Permission::PAGE_DELETE)
+            'allowDelete' => $backendUser->doesUserHaveAccess($page, Permission::PAGE_DELETE),
+            'allowEdit' => $backendUser->doesUserHaveAccess($page, Permission::PAGE_EDIT)
+                && $backendUser->check('tables_modify', 'pages')
+                && $backendUser->checkLanguageAccess(0)
         ];
 
         if (!empty($page['_children'])) {
diff --git a/typo3/sysext/backend/Resources/Public/JavaScript/PageTree/PageTree.js b/typo3/sysext/backend/Resources/Public/JavaScript/PageTree/PageTree.js
index e08f5f67a004..bd7c8da35a6b 100644
--- a/typo3/sysext/backend/Resources/Public/JavaScript/PageTree/PageTree.js
+++ b/typo3/sysext/backend/Resources/Public/JavaScript/PageTree/PageTree.js
@@ -482,6 +482,10 @@ define(['jquery',
     PageTree.prototype.editNodeLabel = function(node) {
       var _this = this;
 
+      if (!node.allowEdit) {
+        return;
+      }
+
       _this.removeEditedText();
       _this.nodeIsEdit = true;
 
-- 
GitLab