[TYPO3-core] RFC: Bug 5704: IRRE - Children on the table pages get the pid of the parent page in pagetree

[Oliver Hader]

Hi Franz,

Franz Holzinger schrieb:
> Hello Oliver,
>> the pid for the new page is not an integer. Thus, the access to this new
>> page cannot be checked withing TCEforms_inline and is just passed.
>> If the new page could not been created because of missing access rights,
>>  saving the new child records will also fail in TCEmain. Thus, the check
>> is delegated to TCEmain automatically.
>> This is a bugfix concerning IRRE: If nobody objects within one week,
>> I'll commit this change to SVN.
> 
> I think in the case where a new page is created with IRRE, then it
> should be checked here if the current backend user has rights to edit
> the parent page record.

We're talking about the child records here. If the current back-end user
doen't have rights to edit the parent, this should be relaized by TCEforms.

> if (t3lib_div::testInt($this->inlineFirstPid)) {
> Add here a check to the pid field of the current record.
> $calcPRec = t3lib_BEfunc::getRecord('pages', $this->inlineFirstPid);
> Check the parent record. And if he has no permissions for the parent
> record then nothing shall continue from here.

Yes, and exactly this insn't possible, because the pid of the new child
record is "NEW12345678" in this case an cannot be checked. The creation
of new child records is done via AJAX call. The only possibility would
be to forward also the data of the parent record with each AJAX call
concerning only child records.

In exactly this case, the check will be done by TCEmain. If the parent
(here a new record on the table pages) could not be create, because of
missing access rights, the child records won't be stored because the pid
with the value "NEW12345678" could not be substituted by a proper integer.

The part in TCEforms_inline you mentioned is only for creating new child
records not for editing existing ones.


olly
-- 
Oliver Hader
http://inpublica.de/