categoryBeGroupTceFormsRestriction doesn't work ?

georgringer / news

TYPO3 Extension news

GNU General Public License v2.0

264 stars 357 forks source link

categoryBeGroupTceFormsRestriction doesn't work ? #252

Closed r4fx closed 6 years ago

r4fx commented 7 years ago

Documentation says:

categoryBeGroupTceFormsRestriction If activated, an editor needs to have permissions to all categories added to a news item to be able to edit this record.

Situation:

news record X have selected category ABC, user have access only to category XYZ,

when user clicks to edit record X, he should take an information (or something) that edit this record is not possible, right ? If so, this doesn't work that way, currently user may edit all of the records.

georgringer commented 7 years ago

There should be a message if it is saved. Does that work for you?

r4fx commented 7 years ago

Nope, I can save changes regardless of selected category, there is no message

eBornstein commented 7 years ago

I can only confirm this. Have the same problem. My user cant see category x (no rights) but can edit the news with category x.

eBornstein commented 7 years ago

OK, I think its a Bug/Problem in here https://github.com/georgringer/news/blob/befa197b3463b8d55709ea4901b733fc53ba8be2/Classes/Hooks/DataHandler.php#L71 Deleting shows an error message but editing/saving and hiding not. grafik

dominikmuellerwf commented 7 years ago

Same problem here after a couple of months. Does anyone have a solution?

kuijs commented 6 years ago

We are experiencing the same problem with Typo3 8.7.4 and news 6.1.1 The editor is seeing the news although it is not in his categories and the news is editable and saveable without any warnings. Is there anything we can contribute to support you, as this function is crucial in our large project.

kuijs commented 6 years ago

New findings:

Deletion is possible without a warning, but on reload the news is visible again.
Copying is possible without warning, but there is a warning on pasting (insufficient categories).

ghost commented 6 years ago

I still have this problem with TYPO3 8.7.10 and news 6.3.0. A user can edit all news. But the categories he has no permission for are deleted after saving the record...

foobar13373 commented 6 years ago

@georgringer I can confim this issue. We have news records with some categeories. Editor A only has access to some of these categories. He can edit the news record (which is correct in our use case), but the categories he has no access to are dropped from the news record upon saving (which is the bug).

I also believe that the TYPO3 core itself had such a bug in TYPO6 6 LTS which was fixed in 7 and 8 LTS - the core had dropped Frontend user groups from records if the editing user had no rights to see the groups. In 7 and 8 this is handled correctly and saved records are only altered on the allowed subset of the editing user.

~~I could imagine that it's possible to remove the categories hook from the news extension as a whole or restrict it to lower than TYPO3 7.~~

foobar13373 commented 6 years ago

@georgringer Is it possible that you are missing the following hook registration at all? $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_tcemain.php']['processDatamapClass'][] = \GeorgRinger\News\Hooks\DataHandler::class;

edit: Yes, registering the hook this way fixes the issue for us. edit2: This already existed as a PR as I just noticed: https://github.com/georgringer/news/pull/411

georgringer commented 6 years ago

merged that PR