[BUGFIX] Check language access for edit default metadata

At various places, it's possible to edit the metadata of a file in the default language. However, users might not have access to the default language. To prevent moving to FormEngine and facing access permission errors, those places now use proper language access checks and do not display corresponding action if the user does not have access. Resolves: #103432 Releases: main, 12.4 Change-Id: I22c3755a17888cfc623ce05b25fd655b323cc553 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/83583 Tested-by: Oliver Bartsch <bo@cedev.de> Reviewed-by: Oliver Bartsch <bo@cedev.de> Tested-by: core-ci <typo3@b13.com>
TYPO3 · Mar 25, 2024 · 7991a68 · 7991a68
1 parent 194cc12
commit 7991a68
Show file tree

Hide file tree

Showing 7 changed files with 40 additions and 22 deletions.
diff --git a/Build/Sources/TypeScript/filelist/file-list.ts b/Build/Sources/TypeScript/filelist/file-list.ts
@@ -89,7 +89,8 @@ export default class Filelist {
     new RegularEvent(FileListActionEvent.primary, (event: CustomEvent): void => {
       const detail: FileListActionDetail = event.detail;
       const resource = detail.resources[0];
-      if (resource.type === 'file') {
+      const resourceElement: HTMLElement = detail.trigger.closest('[data-default-language-access]') as HTMLElement;
+      if (resource.type === 'file' && resourceElement !== null) {
         window.location.href = top.TYPO3.settings.FormEngine.moduleUrl
           + '&edit[sys_file_metadata][' + resource.metaUid + ']=edit'
           + '&returnUrl=' + Filelist.getReturnUrl('');

diff --git a/typo3/sysext/filelist/Classes/ContextMenu/ItemProviders/FileProvider.php b/typo3/sysext/filelist/Classes/ContextMenu/ItemProviders/FileProvider.php
@@ -225,10 +225,11 @@ protected function canBeEdited(): bool
     protected function canEditMetadata(): bool
     {
         return $this->isFile()
-           && $this->record->isIndexed()
-           && $this->record->checkActionPermission('editMeta')
-           && $this->record->getMetaData()->offsetExists('uid')
-           && $this->backendUser->check('tables_modify', 'sys_file_metadata');
+            && $this->record->isIndexed()
+            && $this->record->checkActionPermission('editMeta')
+            && $this->record->getMetaData()->offsetExists('uid')
+            && $this->backendUser->check('tables_modify', 'sys_file_metadata')
+            && $this->backendUser->checkLanguageAccess(0);
     }
 
     protected function canBeRenamed(): bool

diff --git a/typo3/sysext/filelist/Classes/Controller/FileListController.php b/typo3/sysext/filelist/Classes/Controller/FileListController.php
@@ -382,27 +382,36 @@ protected function generateFileList(ServerRequestInterface $request): void
                 'fileUploadUrl' => $this->getFileUploadUrl(),
                 'totalItems' => $this->filelist->totalItems,
             ]);
+
+            // Add edit metadata configuration, if user can edit default language
+            if ($this->getBackendUser()->checkLanguageAccess(0)) {
+                $this->view->assign(
+                    'editActionConfiguration',
+                    GeneralUtility::jsonEncodeForHtmlAttribute([
+                        'idField' => 'filelistMetaUid',
+                        'table' => 'sys_file_metadata',
+                        'returnUrl' => $this->filelist->createModuleUri(),
+                    ])
+                );
+            }
+
             // Assign meta information for the multi record selection
-            $this->view->assignMultiple([
-                'editActionConfiguration' => GeneralUtility::jsonEncodeForHtmlAttribute([
-                    'idField' => 'filelistMetaUid',
-                    'table' => 'sys_file_metadata',
-                    'returnUrl' => $this->filelist->createModuleUri(),
-                ], true),
-                'deleteActionConfiguration' => GeneralUtility::jsonEncodeForHtmlAttribute([
+            $this->view->assign(
+                'deleteActionConfiguration',
+                GeneralUtility::jsonEncodeForHtmlAttribute([
                     'ok' => $lang->sL('LLL:EXT:core/Resources/Private/Language/locallang_core.xlf:cm.delete'),
                     'title' => $lang->sL('LLL:EXT:filelist/Resources/Private/Language/locallang_mod_file_list.xlf:clip_deleteMarked'),
                     'content' => $lang->sL('LLL:EXT:filelist/Resources/Private/Language/locallang_mod_file_list.xlf:clip_deleteMarkedWarning'),
-                ], true),
-            ]);
+                ]),
+            );
 
             // Add download button configuration, if file download is enabled
             if ($this->getBackendUser()->getTSConfig()['options.']['file_list.']['fileDownload.']['enabled'] ?? true) {
                 $this->view->assign(
                     'downloadActionConfiguration',
                     GeneralUtility::jsonEncodeForHtmlAttribute([
                         'downloadUrl' => (string)$this->uriBuilder->buildUriFromRoute('file_download'),
-                    ], true)
+                    ])
                 );
             }
         } else {

diff --git a/typo3/sysext/filelist/Classes/FileList.php b/typo3/sysext/filelist/Classes/FileList.php
@@ -259,6 +259,7 @@ protected function renderTiles(ResourceCollectionPaginator $paginator, array $re
     {
         $view->assign('displayThumbs', $this->thumbs);
         $view->assign('displayCheckbox', $this->resourceSelectableMatcher ? true : false);
+        $view->assign('defaultLanguageAccess', $this->getBackendUser()->checkLanguageAccess(0));
         $view->assign('pagination', [
             'backward' => $this->getPaginationLinkForDirection($paginator, NavigationDirection::BACKWARD),
             'forward' => $this->getPaginationLinkForDirection($paginator, NavigationDirection::FORWARD),
@@ -492,6 +493,9 @@ protected function renderListTableBody(array $resourceViews): string
                 'data-multi-record-selection-element' => 'true',
                 'draggable' => $resourceView->canMove() ? 'true' : 'false',
             ];
+            if ($this->getBackendUser()->checkLanguageAccess(0)) {
+                $attributes['data-default-language-access'] = 'true';
+            }
             foreach ($this->fieldArray as $field) {
                 switch ($field) {
                     case 'icon':
@@ -988,7 +992,7 @@ protected function createControlEditContent(ResourceView $resourceView): ?Button
 
     protected function createControlEditMetaData(ResourceView $resourceView): ?ButtonInterface
     {
-        if (!$resourceView->getMetaDataUid()) {
+        if (!$resourceView->getMetaDataUid() || !$this->getBackendUser()->checkLanguageAccess(0)) {
             return null;
         }
 

diff --git a/typo3/sysext/filelist/Resources/Private/Templates/File/List.html b/typo3/sysext/filelist/Resources/Private/Templates/File/List.html
@@ -93,13 +93,15 @@ <h5 class="mt-2">
                         <div class="col">
                             <strong><f:translate key="LLL:EXT:core/Resources/Private/Language/locallang_core.xlf:labels.selection"/></strong>
                         </div>
-                        <div class="col">
-                            <button type="button" class="btn btn-default btn-sm disabled" data-multi-record-selection-action="edit" data-multi-record-selection-action-config="{editActionConfiguration -> f:format.raw()}">
+                        <f:if condition="{editActionConfiguration}">
+                            <div class="col">
+                                <button type="button" class="btn btn-default btn-sm disabled" data-multi-record-selection-action="edit" data-multi-record-selection-action-config="{editActionConfiguration -> f:format.raw()}">
                                 <span title="{f:translate(key: 'LLL:EXT:filelist/Resources/Private/Language/locallang_mod_file_list.xlf:editMarked')}">
                                     <core:icon identifier="actions-open" size="small" /> <f:translate key="LLL:EXT:filelist/Resources/Private/Language/locallang_mod_file_list.xlf:editMarked" />
                                 </span>
-                            </button>
-                        </div>
+                                </button>
+                            </div>
+                        </f:if>
                         <f:if condition="{downloadActionConfiguration}">
                             <div class="col">
                                 <button type="button" class="btn btn-default btn-sm" data-multi-record-selection-action="download" data-multi-record-selection-action-config="{downloadActionConfiguration -> f:format.raw()}">

diff --git a/typo3/sysext/filelist/Resources/Private/Templates/Filelist/Tiles.html b/typo3/sysext/filelist/Resources/Private/Templates/Filelist/Tiles.html
@@ -8,7 +8,7 @@
             }" />
         </f:if>
         <f:for each="{resources}" as="resource">
-            <f:render section="ResourceTile" arguments="{resource: resource, displayThumbs: displayThumbs, displayCheckbox: displayCheckbox}" />
+            <f:render section="ResourceTile" arguments="{resource: resource, displayThumbs: displayThumbs, displayCheckbox: displayCheckbox, defaultLanguageAccess: defaultLanguageAccess}" />
         </f:for>
         <f:if condition="{pagination.forward}">
             <f:render section="PaginationTile" arguments="{
@@ -55,6 +55,7 @@
         data-filelist-selectable="{f:if(condition: resource.isSelectable, then: 'true', else: 'false')}"
         data-filelist-selected="{f:if(condition: resource.isSelected, then: 'true', else: 'false')}"
         data-multi-record-selection-element="true"
+        {f:if(condition: defaultLanguageAccess, then: 'data-default-language-access="true"')}
         draggable="{resource.canMove ? 'true' : 'false'}"
     >
         <button type="button" title="{resource.name}" data-filelist-action="primary">