From 160def0e8e429ebf6d0d483d3e8e8df59f279919 Mon Sep 17 00:00:00 2001
From: Guido Schmechel <guido@ayacoo.de>
Date: Mon, 16 Mar 2026 20:34:03 +0100
Subject: [PATCH 1/2] [SECURITY] Ensure only allowed users can view redirects

---
 Classes/Form/Element/RedirectElement.php      |  3 +
 .../RedirectAccessDisplayCondition.php        | 27 ++++++++
 Configuration/TCA/Overrides/pages.php         |  2 +
 Resources/Private/Templates/Backend/List.html | 62 +++++++++++++------
 composer.json                                 |  2 +-
 ext_emconf.php                                |  2 +-
 6 files changed, 78 insertions(+), 20 deletions(-)
 create mode 100644 Classes/UserFunctions/RedirectAccessDisplayCondition.php

diff --git a/Classes/Form/Element/RedirectElement.php b/Classes/Form/Element/RedirectElement.php
index 1684339..c73c4f8 100644
--- a/Classes/Form/Element/RedirectElement.php
+++ b/Classes/Form/Element/RedirectElement.php
@@ -5,6 +5,7 @@
 namespace Ayacoo\RedirectTab\Form\Element;
 
 use Ayacoo\RedirectTab\Service\RedirectDemandService;
+use Ayacoo\RedirectTab\UserFunctions\RedirectAccessDisplayCondition;
 use Psr\Http\Message\UriInterface;
 use TYPO3\CMS\Backend\Form\Element\AbstractFormElement;
 use TYPO3\CMS\Backend\Routing\UriBuilder;
@@ -30,7 +31,9 @@ public function render(): array
 
         $this->prepareView();
 
+        $redirectAccess = GeneralUtility::makeInstance(RedirectAccessDisplayCondition::class);
         $this->view->assignMultiple([
+            'canEditRedirects' => $redirectAccess->canEditRedirects(),
             'redirects' => $redirectDemandService->getRedirects((int)$currentPage),
             'demand' => $redirectDemandService->getDemand(),
             'pagination' => $redirectDemandService->preparePagination($redirectDemandService->getDemand()),
diff --git a/Classes/UserFunctions/RedirectAccessDisplayCondition.php b/Classes/UserFunctions/RedirectAccessDisplayCondition.php
new file mode 100644
index 0000000..c8a3f30
--- /dev/null
+++ b/Classes/UserFunctions/RedirectAccessDisplayCondition.php
@@ -0,0 +1,27 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Ayacoo\RedirectTab\UserFunctions;
+
+use TYPO3\CMS\Core\Authentication\BackendUserAuthentication;
+
+class RedirectAccessDisplayCondition
+{
+    private const string TABLE_NAME = 'sys_redirect';
+
+    public function canListRedirects(): bool
+    {
+        return $this->getBackendUser()->isAdmin() || $this->getBackendUser()->check('tables_select', self::TABLE_NAME);
+    }
+
+    public function canEditRedirects(): bool
+    {
+        return $this->getBackendUser()->isAdmin() || $this->getBackendUser()->check('tables_modify', self::TABLE_NAME);
+    }
+
+    protected function getBackendUser(): BackendUserAuthentication
+    {
+        return $GLOBALS['BE_USER'];
+    }
+}
diff --git a/Configuration/TCA/Overrides/pages.php b/Configuration/TCA/Overrides/pages.php
index fc8d880..bb7e0d9 100644
--- a/Configuration/TCA/Overrides/pages.php
+++ b/Configuration/TCA/Overrides/pages.php
@@ -1,5 +1,6 @@
 <?php
 
+use Ayacoo\RedirectTab\UserFunctions\RedirectAccessDisplayCondition;
 use TYPO3\CMS\Core\Utility\ExtensionManagementUtility;
 
 defined('TYPO3') || die();
@@ -10,6 +11,7 @@
             'displayCond' => [
                 'AND' => [
                     'REC:NEW:false',
+                    'USER:' . RedirectAccessDisplayCondition::class . '->canListRedirects',
                 ],
             ],
             'exclude' => true,
diff --git a/Resources/Private/Templates/Backend/List.html b/Resources/Private/Templates/Backend/List.html
index 865c147..10ed067 100644
--- a/Resources/Private/Templates/Backend/List.html
+++ b/Resources/Private/Templates/Backend/List.html
@@ -64,26 +64,48 @@
                                         </f:link.external>
                                     </f:else>
                                 </f:if>
-                                <f:if condition="{redirect.disabled} == 1">
+                                <f:if condition="{canEditRedirects}">
                                     <f:then>
-                                        <a class="btn btn-default" href="{be:moduleLink(route:'tce_db', arguments:'{redirect: returnUrl}', query:'data[sys_redirect][{redirect.uid}][disabled]=0', currentUrlParameterName:'redirect')}" title="{f:translate(key:'LLL:EXT:core/Resources/Private/Language/locallang_mod_web_list.xlf:unHide')}"><core:icon identifier="actions-edit-unhide" /></a>
+                                        <f:if condition="{redirect.disabled} == 1">
+                                            <f:then>
+                                                <a class="btn btn-default" href="{be:moduleLink(route:'tce_db', arguments:'{redirect: returnUrl}', query:'data[sys_redirect][{redirect.uid}][disabled]=0', currentUrlParameterName:'redirect')}" title="{f:translate(key:'LLL:EXT:core/Resources/Private/Language/locallang_mod_web_list.xlf:unHide')}"><core:icon identifier="actions-edit-unhide" /></a>
+                                            </f:then>
+                                            <f:else>
+                                                <a class="btn btn-default" href="{be:moduleLink(route:'tce_db', arguments:'{redirect: returnUrl}', query:'data[sys_redirect][{redirect.uid}][disabled]=1', currentUrlParameterName:'redirect')}" title="{f:translate(key:'LLL:EXT:core/Resources/Private/Language/locallang_mod_web_list.xlf:hide')}"><core:icon identifier="actions-edit-hide" /></a>
+                                            </f:else>
+                                        </f:if>
                                     </f:then>
                                     <f:else>
-                                        <a class="btn btn-default" href="{be:moduleLink(route:'tce_db', arguments:'{redirect: returnUrl}', query:'data[sys_redirect][{redirect.uid}][disabled]=1', currentUrlParameterName:'redirect')}" title="{f:translate(key:'LLL:EXT:core/Resources/Private/Language/locallang_mod_web_list.xlf:hide')}"><core:icon identifier="actions-edit-hide" /></a>
+                                        <span class="btn btn-default disabled"><core:icon identifier="empty-empty" /></span>
+                                    </f:else>
+                                </f:if>
+
+                                <f:if condition="{canEditRedirects}">
+                                    <f:then>
+                                        <be:link.editRecord returnUrl="{returnUrl}" class="btn btn-default" table="sys_redirect" uid="{redirect.uid}" title="{f:translate(key: 'LLL:EXT:core/Resources/Private/Language/locallang_mod_web_list.xlf:edit')}">
+                                            <core:icon identifier="actions-open" />
+                                        </be:link.editRecord>
+                                    </f:then>
+                                    <f:else>
+                                        <span class="btn btn-default disabled"><core:icon identifier="empty-empty" /></span>
+                                    </f:else>
+                                </f:if>
+                                <f:if condition="{canEditRedirects}">
+                                    <f:then>
+                                        <a class="btn btn-default t3js-modal-trigger"
+                                           href="{be:moduleLink(route:'tce_db', arguments:'{redirect: returnUrl}', query:'cmd[sys_redirect][{redirect.uid}][delete]=1', currentUrlParameterName:'redirect')}"
+                                           title="{f:translate(key: 'LLL:EXT:core/Resources/Private/Language/locallang_mod_web_list.xlf:delete')}"
+                                           data-severity="warning"
+                                           data-title="{f:translate(key: 'LLL:EXT:backend/Resources/Private/Language/locallang_alt_doc.xlf:label.confirm.delete_record.title')}"
+                                           data-bs-content="{f:translate(key: 'LLL:EXT:backend/Resources/Private/Language/locallang_alt_doc.xlf:deleteWarning')}"
+                                           data-button-close-text="{f:translate(key: 'LLL:EXT:backend/Resources/Private/Language/locallang_alt_doc.xlf:buttons.confirm.delete_record.no')}">
+                                            <core:icon identifier="actions-delete" />
+                                        </a>
+                                    </f:then>
+                                    <f:else>
+                                        <span class="btn btn-default disabled"><core:icon identifier="empty-empty" /></span>
                                     </f:else>
                                 </f:if>
-                                <be:link.editRecord returnUrl="{returnUrl}" class="btn btn-default" table="sys_redirect" uid="{redirect.uid}" title="{f:translate(key: 'LLL:EXT:core/Resources/Private/Language/locallang_mod_web_list.xlf:edit')}">
-                                    <core:icon identifier="actions-open" />
-                                </be:link.editRecord>
-                                <a class="btn btn-default t3js-modal-trigger"
-                                   href="{be:moduleLink(route:'tce_db', arguments:'{redirect: returnUrl}', query:'cmd[sys_redirect][{redirect.uid}][delete]=1', currentUrlParameterName:'redirect')}"
-                                   title="{f:translate(key: 'LLL:EXT:core/Resources/Private/Language/locallang_mod_web_list.xlf:delete')}"
-                                   data-severity="warning"
-                                   data-title="{f:translate(key: 'LLL:EXT:backend/Resources/Private/Language/locallang_alt_doc.xlf:label.confirm.delete_record.title')}"
-                                   data-bs-content="{f:translate(key: 'LLL:EXT:backend/Resources/Private/Language/locallang_alt_doc.xlf:deleteWarning')}"
-                                   data-button-close-text="{f:translate(key: 'LLL:EXT:backend/Resources/Private/Language/locallang_alt_doc.xlf:buttons.confirm.delete_record.no')}">
-                                    <core:icon identifier="actions-delete" />
-                                </a>
                             </div>
                         </td>
                     </tr>
@@ -96,9 +118,13 @@
     <f:else>
         <f:be.infobox state="-1" title="{f:translate(key: 'LLL:EXT:redirects/Resources/Private/Language/locallang_module_redirect.xlf:redirect_not_found.title')}">
             <p><f:translate key="LLL:EXT:redirects/Resources/Private/Language/locallang_module_redirect.xlf:redirect_not_found.message"/></p>
-            <be:link.newRecord returnUrl="{returnUrl}" class="btn btn-primary" table="sys_redirect">
-                <f:translate key="LLL:EXT:redirects/Resources/Private/Language/locallang_module_redirect.xlf:redirect_create"/>
-            </be:link.newRecord>
+            <f:if condition="{canEditRedirects}">
+                <f:then>
+                    <be:link.newRecord returnUrl="{returnUrl}" class="btn btn-primary" table="sys_redirect">
+                        <f:translate key="LLL:EXT:redirects/Resources/Private/Language/locallang_module_redirect.xlf:redirect_create"/>
+                    </be:link.newRecord>
+                </f:then>
+            </f:if>
         </f:be.infobox>
     </f:else>
 </f:if>
diff --git a/composer.json b/composer.json
index aba47ff..24b27ef 100644
--- a/composer.json
+++ b/composer.json
@@ -1,7 +1,7 @@
 {
 	"name": "ayacoo/redirect-tab",
 	"type": "typo3-cms-extension",
-	"version": "4.0.4",
+	"version": "4.0.5",
 	"description": "Show TYPO3 redirects in the page properties",
 	"authors": [
 		{
diff --git a/ext_emconf.php b/ext_emconf.php
index b79face..0a82937 100644
--- a/ext_emconf.php
+++ b/ext_emconf.php
@@ -8,7 +8,7 @@
     'author_email' => 'info@ayacoo.de',
     'state' => 'stable',
     'clearCacheOnLoad' => 0,
-    'version' => '4.0.4',
+    'version' => '4.0.5',
     'constraints' => [
         'depends' => [
             'typo3' => '13.4.24-13.4.99',

From 085f4cbf9848241510b5032d1b330889f6de6596 Mon Sep 17 00:00:00 2001
From: Guido Schmechel <guido@ayacoo.de>
Date: Mon, 16 Mar 2026 20:38:43 +0100
Subject: [PATCH 2/2] [SECURITY] Ensure only allowed users can view redirects

---
 Classes/UserFunctions/RedirectAccessDisplayCondition.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Classes/UserFunctions/RedirectAccessDisplayCondition.php b/Classes/UserFunctions/RedirectAccessDisplayCondition.php
index c8a3f30..0e383b2 100644
--- a/Classes/UserFunctions/RedirectAccessDisplayCondition.php
+++ b/Classes/UserFunctions/RedirectAccessDisplayCondition.php
@@ -8,7 +8,7 @@
 
 class RedirectAccessDisplayCondition
 {
-    private const string TABLE_NAME = 'sys_redirect';
+    private const TABLE_NAME = 'sys_redirect';
 
     public function canListRedirects(): bool
     {