Backend: MediaManager missing rights on drag&drop is not shown.

[UlrichKu]

Describe the bug Moving a picture in the backend media manager (Content > Media with Drag&Drop) that belongs to a different user will result in a server error (Internal server error). Important: The user (his/her groups) may not include the right "edit all" on the table cms_media.

Expected There should be a recognizable error message for the user ("insufficient rights" or similar) and no more. And/or the drag&drop preview popup should already show this.

Affected version(s) 7.0+

Technical details That might be a bit hidden: MediaManagerBackendModule::moveImages() needs 4 hops to end up the failing location \TCMSTableEditorEndPoint::AllowEdit() (with $bHasAllowEditView evaluating to false)

[UlrichKu]

There are a number of other cases where users (rights) are not compared to items (rights).

• Every media item shows edit or delete buttons in the list view for items that cannot be deleted or edited (because they belong to a different user)
• The detail view or delete confirmation also shows all (forbidden) buttons (ie "Replace")
• The detail view's table view show an exception (in development mode)

The reason for all this is that - if there is a rights check - it only compares with table rights but not with the individual item rights. A normal user may create new entries and edit them (table rights) but not those of other users (item rights).