[BUGFIX] Check permissions on copy actions

No copy link in the context menu or the button in the file list is displayed, when the user lacks the permission to copy file or folder. Resolves: #85425 Releases: master, 9.5 Change-Id: I442d17e04a87eb25a438c2c2e7f22aef70492061 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/61813 Tested-by: TYPO3com <noreply@typo3.com> Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de> Reviewed-by: Frank Nägler <frank.naegler@typo3.org> Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
TYPO3 · Sep 25, 2019 · c1fcffe · c1fcffe
1 parent 0564b35
commit c1fcffe
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 10 deletions.
diff --git a/typo3/sysext/filelist/Classes/ContextMenu/ItemProviders/FileProvider.php b/typo3/sysext/filelist/Classes/ContextMenu/ItemProviders/FileProvider.php
@@ -222,7 +222,7 @@ protected function canCreateNew(): bool
      */
     protected function canBeCopied(): bool
     {
-        return $this->record->checkActionPermission('read') && !$this->isRecordInClipboard('copy');
+        return $this->record->checkActionPermission('read') && $this->record->checkActionPermission('copy') && !$this->isRecordInClipboard('copy');
     }
 
     /**
@@ -278,6 +278,9 @@ protected function isFoldersAreInTheSameRoot($fileOrFolderInClipBoard): bool
      */
     protected function isRecordInClipboard(string $mode = ''): bool
     {
+        if ($mode !== '' && !$this->record->checkActionPermission($mode)) {
+            return false;
+        }
         $isSelected = '';
         // Pseudo table name for use in the clipboard.
         $table = '_FILE';

diff --git a/typo3/sysext/filelist/Classes/FileList.php b/typo3/sysext/filelist/Classes/FileList.php
@@ -477,7 +477,9 @@ public function getTable($rowlist)
                     $table = '_FILE';
                     $elFromTable = $this->clipObj->elFromTable($table);
                     if (!empty($elFromTable) && $this->folderObject->checkActionPermission('write')) {
-                        $addPasteButton = true;
+                        $clipboardMode = $this->clipObj->clipData[$this->clipObj->current]['mode'] ?? '';
+                        $permission = $clipboardMode === 'copy' ? 'copy' : 'move';
+                        $addPasteButton = $this->folderObject->checkActionPermission($permission);
                         $elToConfirm = [];
                         foreach ($elFromTable as $key => $element) {
                             $clipBoardElement = $this->resourceFactory->retrieveFileOrFolderObject($element);
@@ -504,11 +506,17 @@ public function getTable($rowlist)
                                 . $this->iconFactory->getIcon('actions-document-paste-into', Icon::SIZE_SMALL)
                                     ->render()
                                 . '</a>';
+                        } else {
+                            $cells[] = $this->spaceIcon;
                         }
                     }
                     if ($this->clipObj->current !== 'normal' && $iOut) {
-                        $cells[] = $this->linkClipboardHeaderIcon('<span title="' . htmlspecialchars($this->getLanguageService()->getLL('clip_selectMarked')) . '">' . $this->iconFactory->getIcon('actions-edit-copy', Icon::SIZE_SMALL)->render() . '</span>', $table, 'setCB');
-                        $cells[] = $this->linkClipboardHeaderIcon('<span title="' . htmlspecialchars($this->getLanguageService()->getLL('clip_deleteMarked')) . '">' . $this->iconFactory->getIcon('actions-edit-delete', Icon::SIZE_SMALL)->render(), $table, 'delete', $this->getLanguageService()->getLL('clip_deleteMarkedWarning'));
+                        if ($this->folderObject->checkActionPermission('copy') && $this->folderObject->checkActionPermission('write') && $this->folderObject->checkActionPermission('move')) {
+                            $cells[] = $this->linkClipboardHeaderIcon('<span title="' . htmlspecialchars($this->getLanguageService()->getLL('clip_selectMarked')) . '">' . $this->iconFactory->getIcon('actions-edit-copy', Icon::SIZE_SMALL)->render() . '</span>', $table, 'setCB');
+                        }
+                        if ($this->folderObject->checkActionPermission('delete')) {
+                            $cells[] = $this->linkClipboardHeaderIcon('<span title="' . htmlspecialchars($this->getLanguageService()->getLL('clip_deleteMarked')) . '">' . $this->iconFactory->getIcon('actions-edit-delete', Icon::SIZE_SMALL)->render(), $table, 'delete', $this->getLanguageService()->getLL('clip_deleteMarkedWarning'));
+                        }
                         $onClick = 'checkOffCB(' . GeneralUtility::quoteJSvalue(implode(',', $this->CBnames)) . ', this); return false;';
                         $cells[] = '<a class="btn btn-default" rel="" href="#" onclick="' . htmlspecialchars($onClick) . '" title="' . htmlspecialchars($this->getLanguageService()->getLL('clip_markRecords')) . '">' . $this->iconFactory->getIcon('actions-document-select', Icon::SIZE_SMALL)->render() . '</a>';
                     }
@@ -1259,11 +1267,15 @@ public function makeClip($fileOrFolderObject)
                 $cutIcon = $this->iconFactory->getIcon('actions-edit-cut-release', Icon::SIZE_SMALL)->render();
             }
 
-            $cells[] = '<a class="btn btn-default" href="' . htmlspecialchars($this->clipObj->selUrlFile(
-                $fullIdentifier,
-                1,
-                $isSel === 'copy'
-            )) . '" title="' . $copyTitle . '">' . $copyIcon . '</a>';
+            if ($fileOrFolderObject->checkActionPermission('copy')) {
+                $cells[] = '<a class="btn btn-default" href="' . htmlspecialchars($this->clipObj->selUrlFile(
+                    $fullIdentifier,
+                    1,
+                    $isSel === 'copy'
+                )) . '" title="' . $copyTitle . '">' . $copyIcon . '</a>';
+            } else {
+                $cells[] = $this->spaceIcon;
+            }
             // we can only cut if file can be moved
             if ($fileOrFolderObject->checkActionPermission('move')) {
                 $cells[] = '<a class="btn btn-default" href="' . htmlspecialchars($this->clipObj->selUrlFile(
@@ -1284,7 +1296,9 @@ public function makeClip($fileOrFolderObject)
         // Display PASTE button, if directory:
         $elFromTable = $this->clipObj->elFromTable('_FILE');
         if ($fileOrFolderObject instanceof Folder && !empty($elFromTable) && $fileOrFolderObject->checkActionPermission('write')) {
-            $addPasteButton = true;
+            $clipboardMode = $this->clipObj->clipData[$this->clipObj->current]['mode'] ?? '';
+            $permission = $clipboardMode === 'copy' ? 'copy' : 'move';
+            $addPasteButton = $this->folderObject->checkActionPermission($permission);
             $elToConfirm = [];
             foreach ($elFromTable as $key => $element) {
                 $clipBoardElement = $this->resourceFactory->retrieveFileOrFolderObject($element);
@@ -1303,6 +1317,8 @@ public function makeClip($fileOrFolderObject)
                     . '>'
                     . $this->iconFactory->getIcon('actions-document-paste-into', Icon::SIZE_SMALL)->render()
                     . '</a>';
+            } else {
+                $cells[] = $this->spaceIcon;
             }
         }
         // Compile items into a DIV-element: