search

netresearch / t3x-rte_ckeditor_image

Image support in CKEditor for the TYPO3 ecosystem
GNU Affero General Public License v3.0
54 stars 60 forks source link

Image selector not working with non-admin user #290

Open fsuter opened 3 days ago

fsuter commented 3 days ago

Bug description I have installed the extension and successfully configured it so that the "Image" button appears in the RTE. Selecting an image works fine when I am an admin user. When I try the same as a regular user, I get an InsufficientFolderAccessPermissionsException exception (see screenshot).

I dug into the code and it seems related to missing bparams query parameters sent when the element browser is called up. The fact that they are missing prevents the underlying code from identifying a folder. When I look at the Resources/Public/JavaScript/Plugins/typo3image.js file, I can see that in version 11.0.15, bparams were assembled:

        var bparams = [
                editor.name, // $fieldRef
                'ckeditor', // $rteParams
                'typo3image', // $rteConfig
                editor.config.typo3image.allowedExtensions || '', // allowedFileExtensions -> Defaults set in controller
                editor.name // $irreObjectId
            ],
            routeUrl = editor.config.typo3image.routeUrl,
            url = routeUrl
                + (routeUrl.indexOf('?') === -1 ? '?' : '&')
                + 'contentsLanguage=' + editor.config.contentsLanguage
                + '&editorId=' + editor.id
                + '&bparams=' + bparams.join('|'),
            deferred = $.Deferred(),
            $modal;

In version 12.0.2, bparams seem ignored:

    const bparams = [
        '',
        '',
        '',
        '',
    ];

    // TODO: Use ajaxUrl
    const contentUrl = editor.config.get('style').typo3image.routeUrl + '&contentsLanguage=en&editorId=123&bparams=' + bparams.join('|');

Steps to reproduce To reproduce the problem:

  1. Log in as a non-admin user
  2. Edit some record with a RTE having the image button
  3. Click on the image button
  4. See the exception

Expected behavior The user should see the element browser with the files from the folder he/she has access to.

Screenshots or logs

Screenshot 2024-06-26 at 09 05 52

Environment

Documentation Have you checked the readme/documentation?

fsuter commented 3 days ago

As a followup, I wanted to highlight the differences in URLs in version 11 and 12 of the extension (and TYPO3), in case that helps.

Here is a typical URL with TYPO3 11.5.37 and rte_ckeditor_image 11.0.15:

https://catalog3.chuv.ch/typo3/rte/wizard/selectimage?token=e446647b8a75009d82dfa0a0a932664ad035e488&mode=file&P[table]=tx_catalogdata_domain_model_gynobsprotocol&P[uid]=158&P[fieldName]=content_definition&P[recordType]=0&P[pid]=2&P[richtextConfigurationName]=images&contentsLanguage=en&editorId=cke_1&bparams=data_tx_catalogdata_domain_model_gynobsprotocol__158__content_definition_|ckeditor|typo3image||data_tx_catalogdata_domain_model_gynobsprotocol__158__content_definition_

And here is the URL with TYPO3 12.4.16 and rte_ckeditor_image 12.0.2:

https://catalog.ddev.site/typo3/rte/wizard/selectimage?token=e2205286d2bc1ca303f881f43ddf0065626c3519&mode=file&contentsLanguage=en&editorId=123&bparams=|||

fsuter commented 2 days ago

For information, if I manually add the query variable &expandFolder=2:/foo/ to the above-mentioned URL (a folder to which the user has access), it works. I don't know where that information used to come from in v11. What I think I am facing is that the code falls back to the default storage (in this case fileadmin) to which the user does not have access.

I have tried setting a default upload folder using TSconfig, but it does not help.

fsuter commented 2 days ago

The change of behavior is due to the Core having massively modified the \TYPO3\CMS\Filelist\ElementBrowser\FileBrowser::render() method. It used to take the bparams into account to identify a folder, or failing that it would consider the user settings, including TSconfig. This is not the case anymore and I can't find an entry point (event, hook, or whatever) to modify the folder.

It seems that what is needed is to pass an expandFolder query variable into the call to the element browser modal. So it's up to the extension to do this work now. Ideally it should provide a base folder resolution and provide an event to modify the folder identifier (in my case, upload folders are defined per TCA field).

I will try to work something out, because my need is urgent, but I may need help in understanding part of the code. I'm not familiar with CKEditor plugins, not how they interact with TYPO3.