From ebaea78e73b9a8afb5c8942e67c721082e94c1da Mon Sep 17 00:00:00 2001
From: Markus Hoelzle <typo3@markus-hoelzle.de>
Date: Wed, 22 Feb 2017 10:27:49 +0100
Subject: [PATCH] [BUGFIX] Do not allow users to edit doktypes without
 permissions

Disallow backend users to edit pages which doktypes are not allowed
via backend usergroup permissions.

Resolves: #79954
Releases: master, 8.7, 7.6
Change-Id: I527602e71c62bc8e33b0886a5758c7c8040b4720
Reviewed-on: https://review.typo3.org/51796
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Matthias Vogel <typo3@kanti.de>
Tested-by: Matthias Vogel <typo3@kanti.de>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Reviewed-by: Wolfgang Klinger <wolfgang@wazum.com>
Tested-by: Wolfgang Klinger <wolfgang@wazum.com>
Reviewed-by: Josef Glatz <josef.glatz@typo3.org>
Reviewed-by: Henning Liebe <h.liebe@neusta.de>
Tested-by: Henning Liebe <h.liebe@neusta.de>
Reviewed-by: Susanne Moog <susanne.moog@typo3.org>
Tested-by: Susanne Moog <susanne.moog@typo3.org>
---
 .../DatabaseUserPermissionCheck.php           |  2 +-
 .../DatabaseUserPermissionCheckTest.php       | 31 ++++++++++++++++++-
 2 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/typo3/sysext/backend/Classes/Form/FormDataProvider/DatabaseUserPermissionCheck.php b/typo3/sysext/backend/Classes/Form/FormDataProvider/DatabaseUserPermissionCheck.php
index 542718506ea0..5ccc050de138 100644
--- a/typo3/sysext/backend/Classes/Form/FormDataProvider/DatabaseUserPermissionCheck.php
+++ b/typo3/sysext/backend/Classes/Form/FormDataProvider/DatabaseUserPermissionCheck.php
@@ -115,7 +115,7 @@ class DatabaseUserPermissionCheck implements FormDataProviderInterface
             if ($result['tableName'] === 'pages') {
                 // A page record is edited, check edit rights of this record directly
                 $userPermissionOnPage = $backendUser->calcPerms($result['databaseRow']);
-                if ((bool)($userPermissionOnPage & Permission::PAGE_EDIT)) {
+                if ((bool)($userPermissionOnPage & Permission::PAGE_EDIT) && $backendUser->check('pagetypes_select', $result['databaseRow']['doktype'])) {
                     $userHasAccess = true;
                 } else {
                     $exception = new AccessDeniedPageEditException(
diff --git a/typo3/sysext/backend/Tests/Unit/Form/FormDataProvider/DatabaseUserPermissionCheckTest.php b/typo3/sysext/backend/Tests/Unit/Form/FormDataProvider/DatabaseUserPermissionCheckTest.php
index 672fdbee722f..c8d7d811bd0d 100644
--- a/typo3/sysext/backend/Tests/Unit/Form/FormDataProvider/DatabaseUserPermissionCheckTest.php
+++ b/typo3/sysext/backend/Tests/Unit/Form/FormDataProvider/DatabaseUserPermissionCheckTest.php
@@ -150,6 +150,33 @@ class DatabaseUserPermissionCheckTest extends \TYPO3\TestingFramework\Core\Unit\
         $this->subject->addData($input);
     }
 
+    /**
+     * @test
+     */
+    public function addDataThrowsExceptionIfCommandIsEditTableIsPagesAndUserHasNoDoktypePermissions()
+    {
+        $input = [
+            'tableName' => 'pages',
+            'command' => 'edit',
+            'vanillaUid' => 123,
+            'databaseRow' => [
+                'uid' => 123,
+                'pid' => 321,
+                'doktype' => 1,
+            ],
+        ];
+        $this->beUserProphecy->isAdmin()->willReturn(false);
+        $this->beUserProphecy->check('tables_modify', $input['tableName'])->willReturn(true);
+        $this->beUserProphecy->check('pagetypes_select', $input['databaseRow']['doktype'])->willReturn(false);
+        $this->beUserProphecy->recordEditAccessInternals($input['tableName'], Argument::cetera())->willReturn(true);
+        $this->beUserProphecy->calcPerms($input['databaseRow'])->willReturn(Permission::ALL);
+
+        $this->expectException(AccessDeniedPageEditException::class);
+        $this->expectExceptionCode(1437679336);
+
+        $this->subject->addData($input);
+    }
+
     /**
      * @test
      */
@@ -161,11 +188,13 @@ class DatabaseUserPermissionCheckTest extends \TYPO3\TestingFramework\Core\Unit\
             'vanillaUid' => 123,
             'databaseRow' => [
                 'uid' => 123,
-                'pid' => 321
+                'pid' => 321,
+                'doktype' => 1,
             ],
         ];
         $this->beUserProphecy->isAdmin()->willReturn(false);
         $this->beUserProphecy->check('tables_modify', $input['tableName'])->willReturn(true);
+        $this->beUserProphecy->check('pagetypes_select', $input['databaseRow']['doktype'])->willReturn(true);
         $this->beUserProphecy->calcPerms($input['databaseRow'])->willReturn(Permission::PAGE_EDIT);
         $this->beUserProphecy->recordEditAccessInternals($input['tableName'], Argument::cetera())->willReturn(true);
 
-- 
GitLab