[SECURITY] Validate permissions on record undelete

eliashaeussler · ohader · commit 9f17a307cf77 · 2026-06-09T10:58:31.000+02:00
When records are undeleted (=restored) using DataHandler, dedicated permission checks must be in place to verify that the current user is allowed to write to the requested table on the requested page. This is already in place for the delete action, but was incomplete for the undelete action. Resolves: #108772 Releases: main, 14.3, 13.4 Change-Id: Ic4200d4aa89cc5a9ceba1135357d9a98281d55f4 Security-Bulletin: TYPO3-CORE-SA-2026-011 Security-References: CVE-2026-47349 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/94410 Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
diff --git a/typo3/sysext/core/Classes/DataHandling/DataHandler.php b/typo3/sysext/core/Classes/DataHandling/DataHandler.php
@@ -5930,6 +5930,12 @@ protected function undeleteRecord(string $table, int $uid): void
         $deleteField = $schema->hasCapability(TcaSchemaCapability::SoftDelete) ? $schema->getCapability(TcaSchemaCapability::SoftDelete)->getFieldName() : '';
         $timestampField = $schema->hasCapability(TcaSchemaCapability::UpdatedAt) ? $schema->getCapability(TcaSchemaCapability::UpdatedAt)->getFieldName() : '';
 
+        // Exit if the current user does not have permission to modify the table
+        if (!$this->checkModifyAccessList($table)) {
+            $this->log($table, 0, SystemLogDatabaseAction::DELETE, null, SystemLogErrorClassification::USER_ERROR, 'Cannot restore "{table}:{uid}" without permission', null, ['table' => $table, 'uid' => $uid]);
+            return;
+        }
+
         if ($record === null
             || $deleteField === ''
             || !isset($record[$deleteField])
@@ -5952,7 +5958,7 @@ protected function undeleteRecord(string $table, int $uid): void
         $recordPid = (int)($record['pid'] ?? 0);
         if ($recordPid > 0) {
             // Record is not on root level. Parent page record must exist and must not be deleted itself.
-            $page = BackendUtility::getRecord('pages', $recordPid, 'deleted', '', false);
+            $page = BackendUtility::getRecord('pages', $recordPid, '*', '', false);
             if ($page === null || !isset($page['deleted']) || (bool)$page['deleted'] === true) {
                 $this->log(
                     $table,
@@ -5971,6 +5977,25 @@ protected function undeleteRecord(string $table, int $uid): void
                 );
                 return;
             }
+
+            if (!$this->hasPermissionToInsert($table, $recordPid, $page)) {
+                $this->log(
+                    'pages',
+                    $recordPid,
+                    SystemLogDatabaseAction::DELETE,
+                    null,
+                    SystemLogErrorClassification::USER_ERROR,
+                    'Record "{table}:{uid}" can\'t be restored: Insufficient user permissions to target page {pid}',
+                    null,
+                    [
+                        'table' => $table,
+                        'uid' => $uid,
+                        'pid' => $recordPid,
+                    ],
+                    $recordPid
+                );
+                return;
+            }
         }
 
         // @todo: When restoring a not-default language record, it should be verified the default language
diff --git a/typo3/sysext/core/Tests/Functional/DataHandling/DataHandler/UndeleteRecordTest.php b/typo3/sysext/core/Tests/Functional/DataHandling/DataHandler/UndeleteRecordTest.php
@@ -0,0 +1,170 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of the TYPO3 CMS project.
+ *
+ * It is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License, either version 2
+ * of the License, or any later version.
+ *
+ * For the full copyright and license information, please read the
+ * LICENSE.txt file that was distributed with this source code.
+ *
+ * The TYPO3 project - inspiring people to share!
+ */
+
+namespace TYPO3\CMS\Core\Tests\Functional\DataHandling\DataHandler;
+
+use PHPUnit\Framework\Attributes\Test;
+use TYPO3\CMS\Core\Authentication\BackendUserAuthentication;
+use TYPO3\CMS\Core\DataHandling\DataHandler;
+use TYPO3\CMS\Core\Schema\Capability\TcaSchemaCapability;
+use TYPO3\CMS\Core\Schema\TcaSchemaFactory;
+use TYPO3\CMS\Core\Type\Bitmask\Permission;
+use TYPO3\TestingFramework\Core\Functional\FunctionalTestCase;
+
+final class UndeleteRecordTest extends FunctionalTestCase
+{
+    protected array $coreExtensionsToLoad = ['workspaces'];
+    private BackendUserAuthentication $backendUser;
+    private DataHandler $subject;
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+
+        $this->importCSVDataSet(dirname(__DIR__, 2) . '/Fixtures/be_groups.csv');
+        $this->importCSVDataSet(dirname(__DIR__, 2) . '/Fixtures/be_users.csv');
+        $this->importCSVDataSet(dirname(__DIR__, 2) . '/Fixtures/pages.csv');
+
+        $this->backendUser = $this->setUpBackendUser(9);
+        // allow modifying the live workspace
+        $this->backendUser->groupData['workspace_perms'] = 1;
+        $this->backendUser->setWorkspace(0);
+        $this->backendUser->setWebmounts([1]);
+
+        $this->subject = $this->get(DataHandler::class);
+    }
+
+    #[Test]
+    public function undeleteWorksAsAnEditor(): void
+    {
+        $this->subject->start([], []);
+        $this->subject->deleteAction('pages', 10);
+        self::assertTrue($this->databaseRecordExists('pages', 10, true));
+
+        $cmd = [
+            'pages' => [
+                10 => [
+                    'undelete' => 1,
+                ],
+            ],
+        ];
+
+        $this->subject->start([], $cmd);
+        $this->subject->process_cmdmap();
+        self::assertTrue($this->databaseRecordExists('pages', 10, false));
+    }
+
+    #[Test]
+    public function undeleteIsProhibitedIfMissingWritePermissionToParentPageAsAnEditor(): void
+    {
+        $this->subject->start([], []);
+        $this->subject->deleteAction('pages', 10);
+        self::assertTrue($this->databaseRecordExists('pages', 10, true));
+
+        $this->getConnectionPool()
+            ->getConnectionForTable('pages')
+            ->update(
+                'pages',
+                // deny new page creation on page with uid 4 (page 10 has pid 4)
+                ['perms_everybody' => Permission::ALL & ~Permission::PAGE_NEW],
+                ['uid' => 4]
+            );
+
+        $cmd = [
+            'pages' => [
+                10 => [
+                    'undelete' => 1,
+                ],
+            ],
+        ];
+
+        $this->subject->start([], $cmd);
+        $this->subject->process_cmdmap();
+
+        // Page must not have been deleted
+        self::assertTrue($this->databaseRecordExists('pages', 10, true));
+        $this->assertLogEntry('Record "pages:10" can\'t be restored: Insufficient user permissions to target page 4', 'pages', 10);
+    }
+
+    #[Test]
+    public function undeleteIsProhibitedIfMissingTablePermissionsAsAnEditor(): void
+    {
+        $this->subject->start([], []);
+        $this->subject->deleteAction('pages', 10);
+        self::assertTrue($this->databaseRecordExists('pages', 10, true));
+
+        $this->getConnectionPool()
+            ->getConnectionForTable('be_groups')
+            ->update(
+                'be_groups',
+                // deny new page modification
+                ['tables_modify' => 'tt_content'],
+                ['uid' => 9]
+            );
+
+        // Reload backend user after changes to the user group
+        $this->backendUser = $this->setUpBackendUser(9);
+
+        $cmd = [
+            'pages' => [
+                10 => [
+                    'undelete' => 1,
+                ],
+            ],
+        ];
+
+        $this->subject->start([], $cmd);
+        $this->subject->process_cmdmap();
+
+        // Page must not have been deleted
+        self::assertTrue($this->databaseRecordExists('pages', 10, true));
+        $this->assertLogEntry('Attempt to modify table "pages" without permission');
+    }
+
+    private function databaseRecordExists(string $tableName, int $id, ?bool $expectDeleted): bool
+    {
+        $schema = $this->get(TcaSchemaFactory::class)->get($tableName);
+        $softDeleteFieldName = $schema->hasCapability(TcaSchemaCapability::SoftDelete)
+            ? $schema->getCapability(TcaSchemaCapability::SoftDelete)->getFieldName()
+            : null;
+
+        $identifiers = ['uid' => $id];
+        if ($expectDeleted !== null && $softDeleteFieldName !== null) {
+            $identifiers[$softDeleteFieldName] = (int)$expectDeleted;
+        }
+
+        $queryBuilder = $this->getConnectionPool()
+            ->getQueryBuilderForTable($tableName)
+            ->count('uid')
+            ->from($tableName);
+        $queryBuilder->getRestrictions()->removeAll();
+        foreach ($identifiers as $identifier => $value) {
+            $queryBuilder->andWhere($queryBuilder->expr()->eq($identifier, $queryBuilder->createNamedParameter($value)));
+        }
+        return (int)$queryBuilder->executeQuery()->fetchOne() === 1;
+    }
+
+    private function assertLogEntry(string $logTemplate, ?string $tableName = null, ?int $id = null): void
+    {
+        $text = sprintf($logTemplate, (string)$tableName, $id !== null ? (string)$id : '');
+        $matches = array_filter(
+            $this->subject->errorLog,
+            static fn(string $entry): bool => str_ends_with($entry, $text)
+        );
+        self::assertNotSame([], $matches, 'Unable to find log entry: ' . $text);
+    }
+}
