[BUGFIX] Check if editor is allowed to drag-move pages in pagetree

Before, editors could always use drag and drop to move pages in the page tree, even if they were lacking the permissions to modify pages. After trying to move a page, an error message would then be shown. The following permission checks have now been added: - Check if the editor is allowed to modify pages. - Check if the editor is allowed to access the default language The drag and drop feature is now only enabled, if these restrictions are met. Admin users can use drag and drop in any cases. Resolves: #25433 Releases: master, 9.5 Change-Id: If104dafa0e5293d698b384b05984642a188d1166 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/63514 Tested-by: TYPO3com <noreply@typo3.com> Tested-by: Daniel Goerz <daniel.goerz@posteo.de> Tested-by: Susanne Moog <look@susi.dev> Reviewed-by: Daniel Goerz <daniel.goerz@posteo.de> Reviewed-by: Oliver Bartsch <bo@cedev.de> Reviewed-by: Susanne Moog <look@susi.dev>
TYPO3 · Feb 29, 2020 · 953cb02 · 953cb02
1 parent 8c47850
commit 953cb02
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 1 deletion.
diff --git a/typo3/sysext/backend/Classes/Controller/Page/TreeController.php b/typo3/sysext/backend/Classes/Controller/Page/TreeController.php
@@ -116,6 +116,7 @@ public function fetchConfigurationAction(): ResponseInterface
     {
         $configuration = [
             'allowRecursiveDelete' => !empty($this->getBackendUser()->uc['recursiveDelete']),
+            'allowDragMove' => $this->isDragMoveAllowed(),
             'doktypes' => $this->getDokTypes(),
             'displayDeleteConfirmation' => $this->getBackendUser()->jsConfirmation(JsConfirmation::DELETE),
             'temporaryMountPoint' => $this->getMountPointPath((int)($this->getBackendUser()->uc['pageTree_temporaryMountPoint'] ?? 0)),
@@ -507,6 +508,18 @@ protected function resolvePageCssClassNames(array $page): string
         return implode(' ', $classes);
     }
 
+    /**
+     * Check if drag-move in the svg tree is allowed for the user
+     *
+     * @return bool
+     */
+    protected function isDragMoveAllowed(): bool
+    {
+        $backendUser = $this->getBackendUser();
+        return $backendUser->isAdmin()
+            || ($backendUser->check('tables_modify', 'pages') && $backendUser->checkLanguageAccess(0));
+    }
+
     /**
      * @return WorkspaceService
      */

diff --git a/typo3/sysext/backend/Resources/Public/JavaScript/PageTree/PageTree.js b/typo3/sysext/backend/Resources/Public/JavaScript/PageTree/PageTree.js
@@ -66,7 +66,7 @@ define(['jquery',
         return false;
       }
 
-      _this.settings.isDragAnDrop = true;
+      _this.settings.isDragAnDrop = settings.allowDragMove;
       _this.dispatch.on('nodeSelectedAfter.pageTree', _this.nodeSelectedAfter);
       _this.dispatch.on('nodeRightClick.pageTree', _this.nodeRightClick);
       _this.dispatch.on('contextmenu.pageTree', _this.contextmenu);