Bad Permission Checks #376
Assignees
Labels
Comments
|
FWIW, because we can have nested containers...the $container variable at the top of the file is the 'current' container when the Default template is pulling in/including (line 55) a copy of itself. |
|
This may have been alleviated somewhat by a recent push with a cleanup of the container templates |
|
should no longer be an issue. |
|
Lighthouse URL: https://exponentcms.lighthouseapp.com/projects/61783/tickets/319 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I have a user who is a member and admin of a group called editors. On a page I have a container that has a text module in it. The Group has full permissions to the text module and no permissions to the container.
Referring to file: https://github.com/exponentcms/exponent-cms/blob/master/framework/modules-1/containermodule/views/Default.tpl
The permission check fails on a opening div but later passes on the matching closing div. This cause an extra closing div that wreaks havoc on a layout.
First of all the permission checks are do not match. Line 18 does not match the the check on Line 100
Line 18:
@@@
{if ($permissions.administrate == 1 || $permissions.edit_module == 1 || $permissions.delete_module == 1 || $permissions.add_module == 1 || $container->permissions.administrate == 1 || $container->permissions.edit_module == 1 || $container->permissions.delete_module == 1)}
@@@
Line 100:
@@@
{if ($permissions.administrate == 1 || $permissions.edit_module == 1 || $permissions.delete_module == 1 || $permissions.add_module == 1 || $container->permissions.administrate == 1 || $container->permissions.edit_module == 1 || $container->permissions.delete_module == 1 || $container->permissions.configure || $container->permissions.configure == 1)}
@@@
Line 70 and 87 are opening/closing tag pairs.
However Line 58 is just {permissions} while Line 85 includes a level. As well, the {if} on Line 59 does not match the {if} on Line 86.
These opening and closing must match, but there is a larger issue as well.
The initial check on Line 18 is looking for $container->permission.bla-bla-bla. However $container is not set until the {foreach} loop on line 52. Its closing tag on line 100 also checks for $container permissions. But since the var is not set (to the last container in the loop) it might pass when. Thus the extra closing div wreaking havoc.
To fix my layout I added the following at the very top.
@@@
{foreach key=key name=c from=$containers item=container}
{/foreach}
@@@
This should count as a horrible, horrible hack and a better way that checks the permissions of the specific container explicitly rather than whatever was the last container in the foreach.
The text was updated successfully, but these errors were encountered: