[TYPO3-hci] Extended page/record lookup "window"

[Martin Kutschker]

Steffen Ritter schrieb:
> 
>> You need to check the resulting pids against the user's page permissions
>> as well!
> 
> I'm already checking this by:

You didn't say so :)

> if( $GLOBALS['BE_USER']->isAdmin() ) {
>     $xml .= t3lib_div::array2xml($result,'',0,'row');
> } else if ( $GLOBALS['BE_USER']->isInWebMount($result['pid']) ) {
>     $xml .= t3lib_div::array2xml($result,'',0,'row');
> }

Three comments:

* You can leave out the admin check as
$GLOBALS['BE_USER']->isInWebMount() does this for you. IMHO it doesn't
add extra security, but adds complexity.

* You should call $GLOBALS['BE_USER']->getPagePermsClause(2) and use the
return value in the call to $GLOBALS['BE_USER']->isInWebMount().
Otherwise you link to records on pages the user may not edit.
See class.t3lib_userauthgroup.php for details.

* You should cache the results of the permission check locally. The
calls are expensive and you might have a search that finds many results
pn a single page.

Masi

>> PS: As an admin it is now possible to search for a page idea and to
>> search with a table like "<table>:<search>". This shouldn't go away
>> (unless I get the drop down).
> this type of search is currently not supported, I will have a look on
> it. But your feature-request to preselect the search table and pagetype
> (folder or page) is on my list, but will last, until "first stable
> version" will be finished.

The page type idea is nice. Please add the "recycler" to list of page types.

Masi