[BUGFIX] Respect ignoreRootLevelRestriction for pid=0 records

sbuerk · lolli42 · commit 1ba7288c4b88 · 2025-04-24T14:17:30.000+02:00
With #106382 DataHandler permission check handling has been streamlined and missed to keep respecting related TCA option `ignoreRootLevelRestriction` for records handled and saved on rootLevel (`pid=0`). For example FAL file and file metadata are stored on `pid=0`, which are no longer editable or translatable by casual editors. Based on the change, empty page record are now passed down to the BE_user `isInWebMount()` throwing an exception because no `uid` is provided in the empty array. This change modifies some places to reintroduce checks for the TCA option `ignoreRootLevelRestriction` when record pid is zero, not calling `isInWebMount()` with an empty page record. Resolves: #106569 Related: #106382 Releases: main, 13.4 Change-Id: Ic602060c02a2188520e8d0750ddabb1c5af601e9 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/89172 Reviewed-by: André Buchmann <andy.schliesser@gmail.com> Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch> Tested-by: André Buchmann <andy.schliesser@gmail.com> Tested-by: Benni Mack <benni@typo3.org> Reviewed-by: Benni Mack <benni@typo3.org> Tested-by: Christian Kuhn <lolli@schwarzbu.ch> Tested-by: core-ci <typo3@b13.com>
diff --git a/typo3/sysext/core/Classes/DataHandling/DataHandler.php b/typo3/sysext/core/Classes/DataHandling/DataHandler.php
@@ -883,7 +883,9 @@ public function process_datamap(): void
                             $this->log($table, $id, SystemLogDatabaseAction::UPDATE, null, SystemLogErrorClassification::USER_ERROR, 'Attempt to modify record {table}:{uid} denied by checkRecordUpdateAccess hook', null, ['table' => $table, 'uid' => $id], (int)$currentRecord['pid']);
                             continue;
                         }
-                    } elseif (!$this->hasPermissionToUpdate($table, $pageRecord)) {
+                    } elseif ($pageRecord === [] && $currentRecord['pid'] === 0 && !($this->admin || BackendUtility::isRootLevelRestrictionIgnored($table))
+                        || (($pageRecord !== [] || $currentRecord['pid'] !== 0) && !$this->hasPermissionToUpdate($table, $pageRecord))
+                    ) {
                         $this->log($table, $id, SystemLogDatabaseAction::UPDATE, null, SystemLogErrorClassification::USER_ERROR, 'Attempt to modify record {table}:{uid} without permission or non-existing page', null, ['table' => $table, 'uid' => $id], (int)$currentRecord['pid']);
                         continue;
                     }
@@ -3460,7 +3462,9 @@ public function copyRecord($table, $uid, $destPid, $first = false, $overrideValu
                 return null;
             }
         }
-        if (!$this->hasPagePermission(Permission::PAGE_SHOW, $pageRecord)) {
+        if (($pageRecord === [] && $row['pid'] === 0 && !($this->admin || BackendUtility::isRootLevelRestrictionIgnored($table)))
+            || (($pageRecord !== [] || $row['pid'] !== 0) && !$this->hasPagePermission(Permission::PAGE_SHOW, $pageRecord))
+        ) {
             $this->log($table, $uid, SystemLogDatabaseAction::INSERT, null, SystemLogErrorClassification::USER_ERROR, 'Attempt to copy record "{table}:{uid}" without read permissions', null, ['table' => $table, 'uid' => (int)$uid]);
             return null;
         }
@@ -4793,8 +4797,9 @@ public function localize($table, $uid, $language)
                 return false;
             }
         }
-
-        if (!$this->hasPagePermission(Permission::PAGE_SHOW, $pageRecord)) {
+        if (($pageRecord === [] && $row['pid'] === 0 && !($this->admin || BackendUtility::isRootLevelRestrictionIgnored($table)))
+            || (($pageRecord !== [] || $row['pid'] !== 0) && !$this->hasPagePermission(Permission::PAGE_SHOW, $pageRecord))
+        ) {
             $this->log($table, $uid, SystemLogDatabaseAction::LOCALIZE, null, SystemLogErrorClassification::USER_ERROR, 'Attempt to localize record {table}:{uid} without permission', null, ['table' => $table, 'uid' => (int)$uid]);
             return false;
         }
@@ -7187,8 +7192,8 @@ protected function hasPermissionToInsert($table, $pid, array $pageRecord): bool
         } else {
             $perms = Permission::CONTENT_EDIT;
         }
-        if (!$this->hasPagePermission($perms, $pageRecord)
-            && ($pid !== 0 || (!$this->admin && !BackendUtility::isRootLevelRestrictionIgnored($table)))
+        if (($pid !== 0 || (!$this->admin && !BackendUtility::isRootLevelRestrictionIgnored($table)))
+            && !$this->hasPagePermission($perms, $pageRecord)
         ) {
             // If page does not exist, it can still be an attempt to add to pid 0. Check this case
             // and deny record insert by looking at admin flag and TCA root level restriction as well.

Original file line number	Diff line number	Diff line change
`@@ -883,7 +883,9 @@ public function process_datamap(): void`
`883`	`883`	`$this->log($table, $id, SystemLogDatabaseAction::UPDATE, null, SystemLogErrorClassification::USER_ERROR, 'Attempt to modify record {table}:{uid} denied by checkRecordUpdateAccess hook', null, ['table' => $table, 'uid' => $id], (int)$currentRecord['pid']);`
`884`	`884`	`continue;`
`885`	`885`	`}`
`886`		`- } elseif (!$this->hasPermissionToUpdate($table, $pageRecord)) {`
	`886`	`+ } elseif ($pageRecord === [] && $currentRecord['pid'] === 0 && !($this->admin \|\| BackendUtility::isRootLevelRestrictionIgnored($table))`
	`887`	`+ \|\| (($pageRecord !== [] \|\| $currentRecord['pid'] !== 0) && !$this->hasPermissionToUpdate($table, $pageRecord))`
	`888`	`+ ) {`
`887`	`889`	`$this->log($table, $id, SystemLogDatabaseAction::UPDATE, null, SystemLogErrorClassification::USER_ERROR, 'Attempt to modify record {table}:{uid} without permission or non-existing page', null, ['table' => $table, 'uid' => $id], (int)$currentRecord['pid']);`
`888`	`890`	`continue;`
`889`	`891`	`}`
`@@ -3460,7 +3462,9 @@ public function copyRecord($table, $uid, $destPid, $first = false, $overrideValu`
`3460`	`3462`	`return null;`
`3461`	`3463`	`}`
`3462`	`3464`	`}`
`3463`		`- if (!$this->hasPagePermission(Permission::PAGE_SHOW, $pageRecord)) {`
	`3465`	`+ if (($pageRecord === [] && $row['pid'] === 0 && !($this->admin \|\| BackendUtility::isRootLevelRestrictionIgnored($table)))`
	`3466`	`+ \|\| (($pageRecord !== [] \|\| $row['pid'] !== 0) && !$this->hasPagePermission(Permission::PAGE_SHOW, $pageRecord))`
	`3467`	`+ ) {`
`3464`	`3468`	`$this->log($table, $uid, SystemLogDatabaseAction::INSERT, null, SystemLogErrorClassification::USER_ERROR, 'Attempt to copy record "{table}:{uid}" without read permissions', null, ['table' => $table, 'uid' => (int)$uid]);`
`3465`	`3469`	`return null;`
`3466`	`3470`	`}`
`@@ -4793,8 +4797,9 @@ public function localize($table, $uid, $language)`
`4793`	`4797`	`return false;`
`4794`	`4798`	`}`
`4795`	`4799`	`}`
`4796`		`-`
`4797`		`- if (!$this->hasPagePermission(Permission::PAGE_SHOW, $pageRecord)) {`
	`4800`	`+ if (($pageRecord === [] && $row['pid'] === 0 && !($this->admin \|\| BackendUtility::isRootLevelRestrictionIgnored($table)))`
	`4801`	`+ \|\| (($pageRecord !== [] \|\| $row['pid'] !== 0) && !$this->hasPagePermission(Permission::PAGE_SHOW, $pageRecord))`
	`4802`	`+ ) {`
`4798`	`4803`	`$this->log($table, $uid, SystemLogDatabaseAction::LOCALIZE, null, SystemLogErrorClassification::USER_ERROR, 'Attempt to localize record {table}:{uid} without permission', null, ['table' => $table, 'uid' => (int)$uid]);`
`4799`	`4804`	`return false;`
`4800`	`4805`	`}`
`@@ -7187,8 +7192,8 @@ protected function hasPermissionToInsert($table, $pid, array $pageRecord): bool`
`7187`	`7192`	`} else {`
`7188`	`7193`	`$perms = Permission::CONTENT_EDIT;`
`7189`	`7194`	`}`
`7190`		`- if (!$this->hasPagePermission($perms, $pageRecord)`
`7191`		`- && ($pid !== 0 \|\| (!$this->admin && !BackendUtility::isRootLevelRestrictionIgnored($table)))`
	`7195`	`+ if (($pid !== 0 \|\| (!$this->admin && !BackendUtility::isRootLevelRestrictionIgnored($table)))`
	`7196`	`+ && !$this->hasPagePermission($perms, $pageRecord)`
`7192`	`7197`	`) {`
`7193`	`7198`	`// If page does not exist, it can still be an attempt to add to pid 0. Check this case`
`7194`	`7199`	`// and deny record insert by looking at admin flag and TCA root level restriction as well.`