[SECURITY] Prevent unauthorized record move via DataHandler

With #106220, the DataHandler `moveRecord()` function has
been refactored and access checks have been simplified. One
access check has however been forgotten during the process
leading to unauthorized movement of records.

With this change, the missing check in DataHandler
`moveRecord()` function has been re-added, so it is now
checked again, if a user has edit permissions on the source
page when moving a record to another page.

Resolves: #108758
Related: #106220
Releases: main, 14.3, 13.4
Change-Id: I95a061ab68111b879c34d51bfbe76cfdf5a64be7
Security-Bulletin: TYPO3-CORE-SA-2026-012
Security-References: CVE-2026-47350
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/94413
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Author: derhansen

typo3/sysext/core/Classes/DataHandling/DataHandler.php

@@ -4489,6 +4489,11 @@ public function moveRecord(string $table, int $uid, int $destination): void
             }
         } else {
             if ($isMovingToDifferentPid) {
+                if (!$this->hasPermissionToUpdate($table, $sourcePageRecord)) {
+                    // When record is moved to different target, update permissions on source page are needed
+                    $this->log($table, $sourceUid, SystemLogDatabaseAction::MOVE, null, SystemLogErrorClassification::USER_ERROR, 'Attempt to move record {table}:{uid} to pid "{targetPid}" without having permissions to update the source page (uid={sourcePid})', null, ['table' => $table, 'uid' => $sourceUid, 'targetPid' => $updateFields['pid'], 'sourcePid' => $sourcePid], $sourcePid);
+                    return;
+                }
                 if (!$this->hasPermissionToInsert($table, $updateFields['pid'], $targetPageRecord)) {
                     // When record is moved to different page, insert permissions on target are needed
                     $this->log($table, $sourceUid, SystemLogDatabaseAction::MOVE, null, SystemLogErrorClassification::USER_ERROR, 'Attempt to move record {table}:{uid} to pid "{targetPid}" without having permissions to insert', null, ['table' => $table, 'uid' => $sourceUid, 'targetPid' => $updateFields['pid']], $updateFields['pid']);

typo3/sysext/core/Tests/Functional/DataHandling/DataHandler/DataSet/MoveRecord.csv

@@ -0,0 +1,17 @@
+"pages"
+,"uid","pid","sorting","title","deleted","perms_everybody"
+,1,0,128,"Root 1",0,31
+,2,1,128,"Page 1",0,31
+,3,1,128,"Page 2",0,31
+,4,0,128,"Root 2",0,31
+,5,4,128,"Page 1",0,31
+tt_content,,,,,,,,
+,uid,pid,header,sys_language_uid,l18n_parent,assets,CType
+,1,2,"A Header on page uid 2",0,0,0,"header"
+,2,5,"A Header on page uid 4",0,0,0,"header"
+be_groups,,,,,,,,,
+,uid,pid,title,deleted,db_mountpoints,tables_select,tables_modify,non_exclude_fields,explicit_allowdeny
+,9,0,"editors",0,1,"pages,tt_content","pages,tt_content","pages:title,tt_content:header,tt_content:CType","tt_content:CType:header"
+"be_users",,,,,,,
+,"uid","pid","username","usergroup","deleted","admin","options"
+,9,0,"editor",9,0,0,3

typo3/sysext/core/Tests/Functional/DataHandling/DataHandler/MoveActionTest.php

@@ -0,0 +1,69 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of the TYPO3 CMS project.
+ *
+ * It is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License, either version 2
+ * of the License, or any later version.
+ *
+ * For the full copyright and license information, please read the
+ * LICENSE.txt file that was distributed with this source code.
+ *
+ * The TYPO3 project - inspiring people to share!
+ */
+
+namespace TYPO3\CMS\Core\Tests\Functional\DataHandling\DataHandler;
+
+use PHPUnit\Framework\Attributes\Test;
+use TYPO3\CMS\Core\Authentication\BackendUserAuthentication;
+use TYPO3\CMS\Core\DataHandling\DataHandler;
+use TYPO3\TestingFramework\Core\Functional\FunctionalTestCase;
+
+final class MoveActionTest extends FunctionalTestCase
+{
+    private BackendUserAuthentication $backendUser;
+    private DataHandler $subject;
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+
+        $this->importCSVDataSet(__DIR__ . '/DataSet/MoveRecord.csv');
+
+        $this->backendUser = $this->setUpBackendUser(9);
+        $this->backendUser->setWebmounts([1]);
+
+        $this->subject = $this->get(DataHandler::class);
+        $this->subject->start([], []);
+    }
+
+    #[Test]
+    public function moveRecordOfAccessibleRecordIsPermitted(): void
+    {
+        $recordUid = 1;
+        $targetPid = 3;
+        $this->subject->moveRecord('tt_content', $recordUid, $targetPid);
+        self::assertEmpty($this->subject->errorLog);
+    }
+
+    #[Test]
+    public function moveRecordOfNonAccessibleRecordIsDenied(): void
+    {
+        $recordUid = 2;
+        $sourcePid = 5;
+        $targetPid = 2;
+        $this->subject->moveRecord('tt_content', $recordUid, $targetPid);
+        self::assertStringContainsString(
+            sprintf(
+                'Attempt to move record tt_content:%d to pid "%d" without having permissions to update the source page (uid=%d)',
+                $recordUid,
+                $targetPid,
+                $sourcePid,
+            ),
+            $this->subject->errorLog[0]
+        );
+    }
+}