Making the TYPO3 Constant Editor available to Backend Users of the "Advanced Editors" Group

1
votes

I have installed the TYPO3 "Bootstrap Package" which is a wrapper for, well, the Bootstrap 4 toolkit. In the TYPO3 10 CMS backend, key Bootstrap constants (e.g. font name, font sizes, many CSS classes and properties) are now configurable via set of handy pulldown menus and selection boxes - but only for "admins".

I have some "editors" who know how to edit pages, but they do not know CSS. They are overwhelmed with the fully populated sidebar that a TYPO3 "admin" backend user sees. They should also be able to change the font name etc, and tweak the design.

Now I would like to make only the TYPO3 Constant Editor available to Backend Users. Specifically, only to users of the "Advanced Editors" Group, and only the "Constant Editor" Menu Item, not the "Info/Modify" menu item.

I cannot give "Advanced Editors" such fine-grained permissions with the "Backend user groups" configuration menu.

I have found a really old forum post from 2006 where a user asked a very similar question.

The answer was to use a TYPO3 extension. And this extension which is also named "Constant editor" can still be downloaded from the TER, but it is deprecated. I did not try it because TER adises me to not install it.

Is there a similar extension somewhere, or a clever TSConfig hack?

2
permissionstypo3typo3-10.x

2 Answers

1
votes

TLDR:
Except a complete rework of right management for typoscript constants all other solutions will open security holes.

As you already noticed: the constant editor is accessible for admins only. But admins can access everything, and that is not desirable, even for "Avanced Editors".
the extension you mentioned probably intereferred with core code and xclassed the functions for accessing constant editor modyfying the access check from admin to configured group rights.
But it probably could not restrict the access to constants from specific extensions / or files. So your editors with special constant editor access might be able to access other constants than design constants from bootstrap. This might be a security hole and would need further rights management, which would be more than the extension can provide.

Also the other way of granting access, making these editors admin, but restricting all other additional rights by removing access to other BE module would be a security hole, as you also would need to restrict fields you have no option to remove access for admins.

0
votes

The backend-module "Template" (typo3/cms-tstemplate) does allow that.

If these "Advanced Editors" should only access the "Constants editor" of the module, you can hide the other functions via menu.function (Documentation) in the TSconfig of the group.