Correctly check the permission to move child records as non-admin user

leofeyer · leofeyer · commit 28a6741ab1f8 · 2018-12-21T10:36:35.000+01:00
diff --git a/system/docs/CHANGELOG.md b/system/docs/CHANGELOG.md
@@ -1,6 +1,13 @@
 Contao Open Source CMS changelog
 ================================
 
+Version 3.5.38 (2018-12-XX)
+---------------------------
+
+### Fixed
+Correctly check the permission to move child records as non-admin user.
+
+
 Version 3.5.37 (2018-12-13)
 ---------------------------
 
diff --git a/system/modules/calendar/dca/tl_calendar_events.php b/system/modules/calendar/dca/tl_calendar_events.php
@@ -560,7 +560,7 @@ public function checkPermission()
 		{
 			case 'paste':
 			case 'select':
-				if (!in_array($id, $root))
+				if (!in_array(CURRENT_ID, $root)) // check CURRENT_ID here (see #247)
 				{
 					$this->log('Not enough permissions to access calendar ID "'.$id.'"', __METHOD__, TL_ERROR);
 					$this->redirect('contao/main.php?act=error');
diff --git a/system/modules/core/dca/tl_form_field.php b/system/modules/core/dca/tl_form_field.php
@@ -467,7 +467,7 @@ public function checkPermission()
 		{
 			case 'paste':
 			case 'select':
-				if (!in_array($id, $root))
+				if (!in_array(CURRENT_ID, $root)) // check CURRENT_ID here (see #247)
 				{
 					$this->log('Not enough permissions to access form ID "'.$id.'"', __METHOD__, TL_ERROR);
 					$this->redirect('contao/main.php?act=error');
diff --git a/system/modules/news/dca/tl_news.php b/system/modules/news/dca/tl_news.php
@@ -508,7 +508,7 @@ public function checkPermission()
 		{
 			case 'paste':
 			case 'select':
-				if (!in_array($id, $root))
+				if (!in_array(CURRENT_ID, $root)) // check CURRENT_ID here (see #247)
 				{
 					$this->log('Not enough permissions to access news archive ID "'.$id.'"', __METHOD__, TL_ERROR);
 					$this->redirect('contao/main.php?act=error');
diff --git a/system/modules/newsletter/dca/tl_newsletter.php b/system/modules/newsletter/dca/tl_newsletter.php
@@ -310,7 +310,7 @@ public function checkPermission()
 		{
 			case 'paste':
 			case 'select':
-				if (!in_array($id, $root))
+				if (!in_array(CURRENT_ID, $root)) // check CURRENT_ID here (see #247)
 				{
 					$this->log('Not enough permissions to access newsletter channel ID "'.$id.'"', __METHOD__, TL_ERROR);
 					$this->redirect('contao/main.php?act=error');
diff --git a/system/modules/newsletter/dca/tl_newsletter_recipients.php b/system/modules/newsletter/dca/tl_newsletter_recipients.php
@@ -246,7 +246,7 @@ public function checkPermission()
 		{
 			case 'paste':
 			case 'select':
-				if (!in_array($id, $root))
+				if (!in_array(CURRENT_ID, $root)) // check CURRENT_ID here (see #247)
 				{
 					$this->log('Not enough permissions to access newsletter channel ID "'.$id.'"', __METHOD__, TL_ERROR);
 					$this->redirect('contao/main.php?act=error');

Original file line number	Diff line number	Diff line change
`@@ -560,7 +560,7 @@ public function checkPermission()`
`560`	`560`	`{`
`561`	`561`	`case 'paste':`
`562`	`562`	`case 'select':`
`563`		`- if (!in_array($id, $root))`
	`563`	`+ if (!in_array(CURRENT_ID, $root)) // check CURRENT_ID here (see #247)`
`564`	`564`	`{`
`565`	`565`	`$this->log('Not enough permissions to access calendar ID "'.$id.'"', __METHOD__, TL_ERROR);`
`566`	`566`	`$this->redirect('contao/main.php?act=error');`
Original file line number	Diff line number	Diff line change
`@@ -467,7 +467,7 @@ public function checkPermission()`
`467`	`467`	`{`
`468`	`468`	`case 'paste':`
`469`	`469`	`case 'select':`
`470`		`- if (!in_array($id, $root))`
	`470`	`+ if (!in_array(CURRENT_ID, $root)) // check CURRENT_ID here (see #247)`
`471`	`471`	`{`
`472`	`472`	`$this->log('Not enough permissions to access form ID "'.$id.'"', __METHOD__, TL_ERROR);`
`473`	`473`	`$this->redirect('contao/main.php?act=error');`
Original file line number	Diff line number	Diff line change
`@@ -508,7 +508,7 @@ public function checkPermission()`
`508`	`508`	`{`
`509`	`509`	`case 'paste':`
`510`	`510`	`case 'select':`
`511`		`- if (!in_array($id, $root))`
	`511`	`+ if (!in_array(CURRENT_ID, $root)) // check CURRENT_ID here (see #247)`
`512`	`512`	`{`
`513`	`513`	`$this->log('Not enough permissions to access news archive ID "'.$id.'"', __METHOD__, TL_ERROR);`
`514`	`514`	`$this->redirect('contao/main.php?act=error');`
Original file line number	Diff line number	Diff line change
`@@ -310,7 +310,7 @@ public function checkPermission()`
`310`	`310`	`{`
`311`	`311`	`case 'paste':`
`312`	`312`	`case 'select':`
`313`		`- if (!in_array($id, $root))`
	`313`	`+ if (!in_array(CURRENT_ID, $root)) // check CURRENT_ID here (see #247)`
`314`	`314`	`{`
`315`	`315`	`$this->log('Not enough permissions to access newsletter channel ID "'.$id.'"', __METHOD__, TL_ERROR);`
`316`	`316`	`$this->redirect('contao/main.php?act=error');`
Original file line number	Diff line number	Diff line change
`@@ -246,7 +246,7 @@ public function checkPermission()`
`246`	`246`	`{`
`247`	`247`	`case 'paste':`
`248`	`248`	`case 'select':`
`249`		`- if (!in_array($id, $root))`
	`249`	`+ if (!in_array(CURRENT_ID, $root)) // check CURRENT_ID here (see #247)`
`250`	`250`	`{`
`251`	`251`	`$this->log('Not enough permissions to access newsletter channel ID "'.$id.'"', __METHOD__, TL_ERROR);`
`252`	`252`	`$this->redirect('contao/main.php?act=error');`