[BUGFIX] Evaluate edit permissions of live search suggestions

The edit permissions for linked live search suggestions, shown in the the dropdown layer, were previously not properly evaluated. This is now fixed. In case a user does have insufficient edit permissions for a live search suggestion, it won't be linked anymore. Resolves: #95052 Releases: master, 10.4 Change-Id: I84f7beeae8be62d275236779b993bbbf380fb835 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/71050 Tested-by: core-ci <typo3@b13.com> Tested-by: Benni Mack <benni@typo3.org> Tested-by: Jochen <rothjochen@gmail.com> Tested-by: Oliver Bartsch <bo@cedev.de> Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl> Reviewed-by: Benni Mack <benni@typo3.org> Reviewed-by: Jochen <rothjochen@gmail.com> Reviewed-by: Oliver Bartsch <bo@cedev.de>
TYPO3 · Sep 15, 2021 · 3a2a80d · 3a2a80d
1 parent 9826705
commit 3a2a80d
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 22 deletions.
diff --git a/Build/Sources/TypeScript/backend/Resources/Public/TypeScript/LiveSearch.ts b/Build/Sources/TypeScript/backend/Resources/Public/TypeScript/LiveSearch.ts
@@ -16,7 +16,7 @@ import Viewport = require('./Viewport');
 import Icons = require('./Icons');
 import 'jquery/autocomplete';
 import './Input/Clearable';
-import {html, render} from 'lit';
+import {html, render, TemplateResult} from 'lit';
 import {unsafeHTML} from 'lit/directives/unsafe-html';
 import {renderHTML} from 'TYPO3/CMS/Core/lit-helper';
 import {ModuleStateStorage} from 'TYPO3/CMS/Backend/Storage/ModuleStateStorage';
@@ -115,10 +115,7 @@ class LiveSearch {
                 ${unsafeHTML(suggestion.data.iconHTML)}
               </div>
               <div class="dropdown-table-column dropdown-table-title">
-                <a class="dropdown-table-title-ellipsis dropdown-list-link"
-                   data-pageid="${suggestion.data.pageId}" href="${suggestion.data.editLink}">
-                  ${suggestion.data.title}
-                </a>
+                ${this.linkItem(suggestion)}
               </div>
             </div>
           </div>
@@ -206,6 +203,16 @@ class LiveSearch {
       evt.preventDefault();
     });
   }
+
+  private linkItem(suggestion: Suggestion): TemplateResult {
+    return suggestion.data.editLink
+      ? html`
+        <a class="dropdown-table-title-ellipsis dropdown-list-link"
+           data-pageid="${suggestion.data.pageId}" href="${suggestion.data.editLink}">
+          ${suggestion.data.title}
+        </a>`
+      : html`<span class="dropdown-table-title-ellipsis">${suggestion.data.title}</span>`;
+  }
 }
 
 export = new LiveSearch();
diff --git a/typo3/sysext/backend/Classes/Search/LiveSearch/LiveSearch.php b/typo3/sysext/backend/Classes/Search/LiveSearch/LiveSearch.php
@@ -18,6 +18,7 @@
 use TYPO3\CMS\Backend\Routing\UriBuilder;
 use TYPO3\CMS\Backend\Tree\View\PageTreeView;
 use TYPO3\CMS\Backend\Utility\BackendUtility;
+use TYPO3\CMS\Core\Authentication\BackendUserAuthentication;
 use TYPO3\CMS\Core\Configuration\Features;
 use TYPO3\CMS\Core\Database\Connection;
 use TYPO3\CMS\Core\Database\ConnectionPool;
@@ -75,7 +76,7 @@ class LiveSearch
      */
     public function __construct()
     {
-        $this->userPermissions = $GLOBALS['BE_USER']->getPagePermsClause(Permission::PAGE_SHOW);
+        $this->userPermissions = $this->getBackendUser()->getPagePermsClause(Permission::PAGE_SHOW);
         $this->queryParser = GeneralUtility::makeInstance(QueryParser::class);
     }
 
@@ -89,7 +90,7 @@ public function find($searchQuery)
     {
         $recordArray = [];
         $pageList = [];
-        $mounts = $GLOBALS['BE_USER']->returnWebmounts();
+        $mounts = $this->getBackendUser()->returnWebmounts();
         foreach ($mounts as $pageId) {
             $pageList[] = $this->getAvailablePageIds($pageId, self::RECURSIVE_PAGE_LEVEL);
         }
@@ -124,8 +125,8 @@ protected function findByGlobalTableList($pageIdList)
                 (isset($value['ctrl']['hideTable']) && $value['ctrl']['hideTable'])
                 ||
                 (
-                    !$GLOBALS['BE_USER']->check('tables_select', $tableName) &&
-                    !$GLOBALS['BE_USER']->check('tables_modify', $tableName)
+                    !$this->getBackendUser()->check('tables_select', $tableName) &&
+                    !$this->getBackendUser()->check('tables_modify', $tableName)
                 )
             ) {
                 continue;
@@ -239,17 +240,27 @@ protected function getRecordArray($queryBuilder, $tableName)
      */
     protected function getEditLink($tableName, $row)
     {
-        $pageInfo = BackendUtility::readPageAccess($row['pid'], $this->userPermissions);
-        $calcPerms = new Permission($GLOBALS['BE_USER']->calcPerms($pageInfo));
+        $backendUser = $this->getBackendUser();
         $editLink = '';
         if ($tableName === 'pages') {
-            $localCalcPerms = new Permission($GLOBALS['BE_USER']->calcPerms(BackendUtility::getRecord('pages', $row['uid'])));
+            $localCalcPerms = new Permission($backendUser->calcPerms(BackendUtility::getRecord('pages', $row['uid']) ?? []));
             $permsEdit = $localCalcPerms->editPagePermissionIsGranted();
         } else {
+            $calcPerms = new Permission($backendUser->calcPerms(BackendUtility::readPageAccess($row['pid'], $this->userPermissions) ?: []));
             $permsEdit = $calcPerms->editContentPermissionIsGranted();
         }
-        // "Edit" link - Only if permissions to edit the page-record of the content of the parent page ($this->id)
-        if ($permsEdit) {
+        // "Edit" link - Only with proper edit permissions
+        if (!($GLOBALS['TCA'][$tableName]['ctrl']['readOnly'] ?? false)
+            && (
+                $backendUser->isAdmin()
+                || (
+                    $permsEdit
+                    && !($GLOBALS['TCA'][$tableName]['ctrl']['adminOnly'] ?? false)
+                    && $backendUser->check('tables_modify', $tableName)
+                    && $backendUser->recordEditAccessInternals($tableName, $row)
+                )
+            )
+        ) {
             $uriBuilder = GeneralUtility::makeInstance(UriBuilder::class);
             $returnUrl = (string)$uriBuilder->buildUriFromRoute('web_list', ['id' => $row['pid']]);
             $editLink = (string)$uriBuilder->buildUriFromRoute('record_edit', [
@@ -398,7 +409,7 @@ protected function extractSearchableFieldsFromTable($tableName)
             $fieldListArray = [];
         }
         // Add special fields
-        if ($GLOBALS['BE_USER']->isAdmin()) {
+        if ($this->getBackendUser()->isAdmin()) {
             $fieldListArray[] = 'uid';
             $fieldListArray[] = 'pid';
         }
@@ -461,6 +472,11 @@ protected function getAvailablePageIds($id, $depth)
         return implode(',', $tree->ids);
     }
 
+    protected function getBackendUser(): BackendUserAuthentication
+    {
+        return $GLOBALS['BE_USER'];
+    }
+
     /**
      * @return LanguageService|null
      */

diff --git a/typo3/sysext/backend/Resources/Public/JavaScript/LiveSearch.js b/typo3/sysext/backend/Resources/Public/JavaScript/LiveSearch.js