‪TYPO3CMS  ‪main
DatabaseUserPermissionCheck.php
Go to the documentation of this file.
1 <?php
2 
3 /*
4  * This file is part of the TYPO3 CMS project.
5  *
6  * It is free software; you can redistribute it and/or modify it under
7  * the terms of the GNU General Public License, either version 2
8  * of the License, or any later version.
9  *
10  * For the full copyright and license information, please read the
11  * LICENSE.txt file that was distributed with this source code.
12  *
13  * The TYPO3 project - inspiring people to share!
14  */
15 
16 namespace ‪TYPO3\CMS\Backend\Form\FormDataProvider;
17 
18 use Psr\EventDispatcher\EventDispatcherInterface;
19 use ‪TYPO3\CMS\Backend\Form\Event\ModifyEditFormUserAccessEvent;
20 use ‪TYPO3\CMS\Backend\Form\Exception\AccessDeniedContentEditException;
21 use ‪TYPO3\CMS\Backend\Form\Exception\AccessDeniedEditInternalsException;
22 use ‪TYPO3\CMS\Backend\Form\Exception\AccessDeniedException;
23 use ‪TYPO3\CMS\Backend\Form\Exception\AccessDeniedListenerException;
24 use ‪TYPO3\CMS\Backend\Form\Exception\AccessDeniedPageEditException;
25 use ‪TYPO3\CMS\Backend\Form\Exception\AccessDeniedPageNewException;
26 use ‪TYPO3\CMS\Backend\Form\Exception\AccessDeniedRootNodeException;
27 use ‪TYPO3\CMS\Backend\Form\Exception\AccessDeniedTableModifyException;
28 use ‪TYPO3\CMS\Backend\Form\FormDataProviderInterface;
29 use TYPO3\CMS\Backend\Utility\BackendUtility;
30 use ‪TYPO3\CMS\Core\Authentication\BackendUserAuthentication;
31 use ‪TYPO3\CMS\Core\Type\Bitmask\Permission;
32 use ‪TYPO3\CMS\Core\Utility\GeneralUtility;
33 
37 class ‪DatabaseUserPermissionCheck implements ‪FormDataProviderInterface
38 {
55  public function ‪addData(array $result)
56  {
57  $backendUser = $this->‪getBackendUser();
58 
59  // Early return for admins
60  if ($backendUser->isAdmin()) {
61  $result['userPermissionOnPage'] = ‪Permission::ALL;
62  return $result;
63  }
64 
65  if (!$backendUser->check('tables_modify', $result['tableName'])) {
66  // If user has no modify rights on table, processing is stopped by throwing an
67  // exception immediately. This case can not be circumvented by hooks.
68  throw new ‪AccessDeniedTableModifyException(
69  'No table modify permission for user ' . $backendUser->user['uid'] . ' on table ' . $result['tableName'],
70  1437683248
71  );
72  }
73 
74  $exception = null;
75  $userPermissionOnPage = new ‪Permission(‪Permission::NOTHING);
76  if ($result['command'] === 'new') {
77  // A new record is created. Access rights of parent record are important here
78  // @todo: In case of new inline child, parentPageRow should probably be the
79  // @todo: "inlineFirstPid" page - Maybe effectivePid and parentPageRow should be calculated differently then?
80  if (is_array($result['parentPageRow'])) {
81  // Record is added below an existing page
82  $userPermissionOnPage = new ‪Permission($backendUser->calcPerms($result['parentPageRow']));
83  if ($result['tableName'] === 'pages') {
84  // New page is created, user needs PAGE_NEW for this
85  if (!$userPermissionOnPage->createPagePermissionIsGranted()) {
86  $exception = new ‪AccessDeniedPageNewException(
87  'No page new permission for user ' . $backendUser->user['uid'] . ' on page ' . $result['databaseRow']['uid'],
88  1437745640
89  );
90  }
91  } elseif (!$userPermissionOnPage->editContentPermissionIsGranted()) {
92  // A regular record is added, not a page. User needs CONTENT_EDIT permission
93  $exception = new ‪AccessDeniedContentEditException(
94  'No content new permission for user ' . $backendUser->user['uid'] . ' on page ' . $result['parentPageRow']['uid'],
95  1437745759
96  );
97  }
98  } elseif (BackendUtility::isRootLevelRestrictionIgnored($result['tableName'])) {
99  // Non admin is creating a record on root node for a table that is actively allowed
100  $userPermissionOnPage->set(‪Permission::ALL);
101  } else {
102  // Non admin has no create permission on root node records
103  $exception = new ‪AccessDeniedRootNodeException(
104  'No record creation permission for user ' . $backendUser->user['uid'] . ' on page root node',
105  1437745221
106  );
107  }
108  } else {
109  // A page or a record on a page is edited
110  if ($result['tableName'] === 'pages') {
111  // A page record is edited, check edit rights of this record directly
112  $userPermissionOnPage = new ‪Permission($backendUser->calcPerms($result['defaultLanguagePageRow'] ?? $result['databaseRow']));
113  if (!$userPermissionOnPage->editPagePermissionIsGranted()
114  || !$backendUser->check('pagetypes_select', $result['databaseRow'][$result['processedTca']['ctrl']['type']])
115  ) {
116  $exception = new ‪AccessDeniedPageEditException(
117  'No page edit permission for user ' . $backendUser->user['uid'] . ' on page ' . $result['databaseRow']['uid'],
118  1437679336
119  );
120  }
121  } elseif (isset($result['parentPageRow']) && is_array($result['parentPageRow'])) {
122  // A non page record is edited.
123  // If there is a parent page row, check content edit right of user
124  $userPermissionOnPage = new ‪Permission($backendUser->calcPerms($result['parentPageRow']));
125  if (!$userPermissionOnPage->editContentPermissionIsGranted()) {
126  $exception = new ‪AccessDeniedContentEditException(
127  'No content edit permission for user ' . $backendUser->user['uid'] . ' on page ' . $result['parentPageRow']['uid'],
128  1437679657
129  );
130  }
131  } elseif (BackendUtility::isRootLevelRestrictionIgnored($result['tableName'])) {
132  // Non admin is editing a record on root node for a table that is actively allowed
133  $userPermissionOnPage->set(‪Permission::ALL);
134  } else {
135  // Non admin has no edit permission on root node records
136  // @todo: This probably needs further handling, see http://review.typo3.org/40835
137  $exception = new ‪AccessDeniedRootNodeException(
138  'No content edit permission for user ' . $backendUser->user['uid'] . ' on page root node',
139  1437679856
140  );
141  }
142  // If general access is allowed, check "recordEditAccessInternals"
143  if ($exception === null
144  && !$backendUser->recordEditAccessInternals($result['tableName'], $result['databaseRow'])
145  ) {
146  $exception = new ‪AccessDeniedEditInternalsException($backendUser->errorMsg, 1437687404);
147  }
148  }
149 
150  $userHasAccess = GeneralUtility::makeInstance(EventDispatcherInterface::class)->dispatch(
151  new ‪ModifyEditFormUserAccessEvent(
152  $exception,
153  $result['tableName'],
154  $result['command'],
155  $result['databaseRow'],
156  )
157  )->doesUserHaveAccess();
158 
159  // Throw specific exception because a listener to the Event denied the previous positive user access decision
160  if ($exception === null && !$userHasAccess) {
161  $exception = new ‪AccessDeniedListenerException(
162  'Access to table ' . $result['tableName'] . ' for user ' . $backendUser->user['uid'] . ' was denied by a ModifyRecordEditUserAccessEvent listener',
163  1662727149
164  );
165  }
166 
167  // Unset a previous exception because a listener to the Event allowed the previous negative user access decision
168  if ($exception !== null && $userHasAccess) {
169  $exception = null;
170  }
171 
172  if ($exception) {
173  throw $exception;
174  }
175 
176  $result['userPermissionOnPage'] = $userPermissionOnPage->__toInt();
177 
178  return $result;
179  }
180 
181  protected function ‪getBackendUser(): ‪BackendUserAuthentication
182  {
183  return ‪$GLOBALS['BE_USER'];
184  }
185 }
‪TYPO3\CMS\Backend\Form\FormDataProvider\DatabaseUserPermissionCheck
Definition: DatabaseUserPermissionCheck.php:38
‪TYPO3\CMS\Backend\Form\Exception\AccessDeniedContentEditException
Definition: AccessDeniedContentEditException.php:21
‪TYPO3\CMS\Backend\Form\FormDataProvider\DatabaseUserPermissionCheck\addData
‪array addData(array $result)
Definition: DatabaseUserPermissionCheck.php:55
‪TYPO3\CMS\Backend\Form\FormDataProvider\DatabaseUserPermissionCheck\getBackendUser
‪getBackendUser()
Definition: DatabaseUserPermissionCheck.php:181
‪TYPO3\CMS\Backend\Form\Exception\AccessDeniedRootNodeException
Definition: AccessDeniedRootNodeException.php:21
‪TYPO3\CMS\Core\Type\Bitmask\Permission\NOTHING
‪const NOTHING
Definition: Permission.php:30
‪TYPO3\CMS\Core\Type\Bitmask\Permission
Definition: Permission.php:26
‪TYPO3\CMS\Backend\Form\Exception\AccessDeniedListenerException
Definition: AccessDeniedListenerException.php:23
‪TYPO3\CMS\Backend\Form\Exception\AccessDeniedEditInternalsException
Definition: AccessDeniedEditInternalsException.php:21
‪TYPO3\CMS\Core\Type\Bitmask\Permission\ALL
‪const ALL
Definition: Permission.php:60
‪TYPO3\CMS\Backend\Form\Event\ModifyEditFormUserAccessEvent
Definition: ModifyEditFormUserAccessEvent.php:27
‪TYPO3\CMS\Backend\Form\Exception\AccessDeniedTableModifyException
Definition: AccessDeniedTableModifyException.php:21
‪TYPO3\CMS\Core\Authentication\BackendUserAuthentication
Definition: BackendUserAuthentication.php:62
‪TYPO3\CMS\Backend\Form\FormDataProvider
Definition: AbstractDatabaseRecordProvider.php:16
‪TYPO3\CMS\Backend\Form\FormDataProviderInterface
Definition: FormDataProviderInterface.php:23
‪$GLOBALS
‪$GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['adminpanel']['modules']
Definition: ext_localconf.php:25
‪TYPO3\CMS\Backend\Form\Exception\AccessDeniedException
Definition: AccessDeniedException.php:25
‪TYPO3\CMS\Backend\Form\Exception\AccessDeniedPageNewException
Definition: AccessDeniedPageNewException.php:21
‪TYPO3\CMS\Core\Utility\GeneralUtility
Definition: GeneralUtility.php:52
‪TYPO3\CMS\Backend\Form\Exception\AccessDeniedPageEditException
Definition: AccessDeniedPageEditException.php:21