From d517e43ff699cc25d1c6fb1ae0d71a70d92997a9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20E=C3=9Fl?= <indy.essl@gmail.com>
Date: Sun, 29 Mar 2020 20:36:56 +0200
Subject: [PATCH] [BUGFIX] Allow editors with no page delete permissions to
 delete content

Add checks to use proper permissions in the DataHandler class,
as in some cases, where the record is not a page, the PAGE_DELETE
permissions were used instead of CONTENT_EDIT.

Resolves: #90878
Related: #90019
Releases: master
Change-Id: Ic10dc132391044ae0c98b93316d877053a091b70
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/63999
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Benni Mack <benni@typo3.org>
---
 .../core/Classes/DataHandling/DataHandler.php  | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/typo3/sysext/core/Classes/DataHandling/DataHandler.php b/typo3/sysext/core/Classes/DataHandling/DataHandler.php
index e163072b121a..6c166cea022d 100644
--- a/typo3/sysext/core/Classes/DataHandling/DataHandler.php
+++ b/typo3/sysext/core/Classes/DataHandling/DataHandler.php
@@ -4741,7 +4741,15 @@ class DataHandler implements LoggerAwareInterface
             $this->log($table, $uid, SystemLogDatabaseAction::DELETE, 0, SystemLogErrorClassification::USER_ERROR, 'Attempt to delete record without delete-permissions');
             return;
         }
-        if (!$noRecordCheck && !$this->doesRecordExist($table, $uid, Permission::PAGE_DELETE)) {
+        if ($table === 'pages') {
+            $perms = Permission::PAGE_DELETE;
+        } elseif ($table === 'sys_file_reference' && array_key_exists('pages', $this->datamap)) {
+            // @todo: find a more generic way to handle content relations of a page (without needing content editing access to that page)
+            $perms = Permission::PAGE_EDIT;
+        } else {
+            $perms = Permission::CONTENT_EDIT;
+        }
+        if (!$noRecordCheck && !$this->doesRecordExist($table, $uid, $perms)) {
             return;
         }
 
@@ -5029,7 +5037,13 @@ class DataHandler implements LoggerAwareInterface
             $res = $this->canDeletePage($id);
             return is_array($res) ? false : $res;
         }
-        return $this->doesRecordExist($table, $id, Permission::PAGE_DELETE) ? false : 'No permission to delete record';
+        if ($table === 'sys_file_reference' && array_key_exists('pages', $this->datamap)) {
+            // @todo: find a more generic way to handle content relations of a page (without needing content editing access to that page)
+            $perms = Permission::PAGE_EDIT;
+        } else {
+            $perms = Permission::CONTENT_EDIT;
+        }
+        return $this->doesRecordExist($table, $id, $perms) ? false : 'No permission to delete record';
     }
 
     /**
-- 
GitLab