From 6394eced7ac0f2b08a647e9ec6bf08f0589acf84 Mon Sep 17 00:00:00 2001 From: Matt Thomas Date: Thu, 27 Nov 2025 18:20:17 -0500 Subject: [PATCH] Update acl-access.md Adds note about core.edit.own not inherently checking who created the item in question. --- versioned_docs/version-6.0/general-concepts/acl/acl-access.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/versioned_docs/version-6.0/general-concepts/acl/acl-access.md b/versioned_docs/version-6.0/general-concepts/acl/acl-access.md index f42ba681..efe16d37 100644 --- a/versioned_docs/version-6.0/general-concepts/acl/acl-access.md +++ b/versioned_docs/version-6.0/general-concepts/acl/acl-access.md @@ -51,6 +51,8 @@ $levels = $user->getAuthorisedViewLevels(); $canView = in_array($item->access, $levels); ``` +It's important to note that the `core.edit.own` permission does not inherently check if the user created the item. This can be accomplished by combining checking this permission with the item's created_by value, such as with `$user->authorise('core.edit.own', 'com_example.item.' . $this->item->id) && $this->item->created_by == $user->id` + However, note that Super Users should be able to see all items, regardless of the Access Level, so generally there's another check: ```php if ($user->authorise('core.admin')) { @@ -66,4 +68,4 @@ You can find if a user is logged in or not by checking the `guest` property of t if ($user->guest) { throw new \Exception(Text::_('JERROR_ALERTNOAUTHOR'), 403); } -``` \ No newline at end of file +```