public function checkPermission()
{
if ($this->User->isAdmin) {
return;
}
/** @var Symfony\Component\HttpFoundation\Session\SessionInterface $objSession */
$objSession = System::getContainer()->get('session');
$session = $objSession->all();
// Set the default page user and group
$GLOBALS['TL_DCA']['tl_page']['fields']['cuser']['default'] = intval(Config::get('defaultUser') ?: $this->User->id);
$GLOBALS['TL_DCA']['tl_page']['fields']['cgroup']['default'] = intval(Config::get('defaultGroup') ?: $this->User->groups[0]);
// Restrict the page tree
$GLOBALS['TL_DCA']['tl_page']['list']['sorting']['root'] = $this->User->pagemounts;
// Set allowed page IDs (edit multiple)
if (is_array($session['CURRENT']['IDS'])) {
$edit_all = array();
$delete_all = array();
foreach ($session['CURRENT']['IDS'] as $id) {
$objPage = $this->Database->prepare("SELECT id, pid, type, includeChmod, chmod, cuser, cgroup FROM tl_page WHERE id=?")->limit(1)->execute($id);
if ($objPage->numRows < 1 || !$this->User->hasAccess($objPage->type, 'alpty')) {
continue;
}
$row = $objPage->row();
if ($this->User->isAllowed(BackendUser::CAN_EDIT_PAGE, $row)) {
$edit_all[] = $id;
}
// Mounted pages cannot be deleted
if ($this->User->isAllowed(BackendUser::CAN_DELETE_PAGE, $row) && !$this->User->hasAccess($id, 'pagemounts')) {
$delete_all[] = $id;
}
}
$session['CURRENT']['IDS'] = Input::get('act') == 'deleteAll' ? $delete_all : $edit_all;
}
// Set allowed clipboard IDs
if (isset($session['CLIPBOARD']['tl_page']) && is_array($session['CLIPBOARD']['tl_page']['id'])) {
$clipboard = array();
foreach ($session['CLIPBOARD']['tl_page']['id'] as $id) {
$objPage = $this->Database->prepare("SELECT id, pid, type, includeChmod, chmod, cuser, cgroup FROM tl_page WHERE id=?")->limit(1)->execute($id);
if ($objPage->numRows < 1 || !$this->User->hasAccess($objPage->type, 'alpty')) {
continue;
}
if ($this->User->isAllowed(BackendUser::CAN_EDIT_PAGE_HIERARCHY, $objPage->row())) {
$clipboard[] = $id;
}
}
$session['CLIPBOARD']['tl_page']['id'] = $clipboard;
}
// Overwrite session
$objSession->replace($session);
// Check permissions to save and create new
if (Input::get('act') == 'edit') {
$objPage = $this->Database->prepare("SELECT * FROM tl_page WHERE id=(SELECT pid FROM tl_page WHERE id=?)")->limit(1)->execute(Input::get('id'));
if ($objPage->numRows && !$this->User->isAllowed(BackendUser::CAN_EDIT_PAGE_HIERARCHY, $objPage->row())) {
$GLOBALS['TL_DCA']['tl_page']['config']['closed'] = true;
}
}
// Check current action
if (Input::get('act') && Input::get('act') != 'paste') {
$permission = 0;
$cid = CURRENT_ID ?: Input::get('id');
$ids = $cid != '' ? array($cid) : array();
// Set permission
switch (Input::get('act')) {
case 'edit':
case 'toggle':
$permission = BackendUser::CAN_EDIT_PAGE;
break;
case 'move':
$permission = BackendUser::CAN_EDIT_PAGE_HIERARCHY;
$ids[] = Input::get('sid');
break;
case 'create':
case 'copy':
case 'copyAll':
case 'cut':
case 'cutAll':
$permission = BackendUser::CAN_EDIT_PAGE_HIERARCHY;
// Check the parent page in "paste into" mode
if (Input::get('mode') == 2) {
$ids[] = Input::get('pid');
} else {
$objPage = $this->Database->prepare("SELECT pid FROM tl_page WHERE id=?")->limit(1)->execute(Input::get('pid'));
$ids[] = $objPage->pid;
}
break;
case 'delete':
$permission = BackendUser::CAN_DELETE_PAGE;
break;
}
// Check user permissions
if (Input::get('act') != 'show') {
$pagemounts = array();
// Get all allowed pages for the current user
foreach ($this->User->pagemounts as $root) {
if (Input::get('act') != 'delete') {
$pagemounts[] = $root;
}
$pagemounts = array_merge($pagemounts, $this->Database->getChildRecords($root, 'tl_page'));
}
$error = false;
$pagemounts = array_unique($pagemounts);
// Do not allow to paste after pages on the root level (pagemounts)
if ((Input::get('act') == 'cut' || Input::get('act') == 'cutAll') && Input::get('mode') == 1 && in_array(Input::get('pid'), $this->eliminateNestedPages($this->User->pagemounts))) {
throw new Contao\CoreBundle\Exception\AccessDeniedException('Not enough permissions to paste page ID ' . Input::get('id') . ' after mounted page ID ' . Input::get('pid') . ' (root level).');
}
// Check each page
foreach ($ids as $i => $id) {
if (!in_array($id, $pagemounts)) {
$this->log('Page ID ' . $id . ' was not mounted', __METHOD__, TL_ERROR);
$error = true;
break;
}
// Get the page object
$objPage = $this->Database->prepare("SELECT * FROM tl_page WHERE id=?")->limit(1)->execute($id);
if ($objPage->numRows < 1) {
continue;
}
// Check whether the current user is allowed to access the current page
if (!$this->User->isAllowed($permission, $objPage->row())) {
$error = true;
break;
}
// Check the type of the first page (not the following parent pages)
// In "edit multiple" mode, $ids contains only the parent ID, therefore check $id != $_GET['pid'] (see #5620)
if ($i == 0 && $id != Input::get('pid') && Input::get('act') != 'create' && !$this->User->hasAccess($objPage->type, 'alpty')) {
$this->log('Not enough permissions to ' . Input::get('act') . ' ' . $objPage->type . ' pages', __METHOD__, TL_ERROR);
$error = true;
break;
}
}
// Redirect if there is an error
if ($error) {
throw new Contao\CoreBundle\Exception\AccessDeniedException('Not enough permissions to ' . Input::get('act') . ' page ID ' . $cid . ' or paste after/into page ID ' . Input::get('pid') . '.');
}
}
}
}
