fixed edit permission chk and added ACL chks in btns

components/com_content/content.php

@@ -16,9 +16,21 @@
 $input = JFactory::getApplication()->input;
 $user  = JFactory::getUser();
 
-if ($input->get('view') === 'articles' && $input->get('layout') === 'modal')
+$checkCreateEdit = ($input->get('view') === 'articles' && $input->get('layout') === 'modal')
+	|| ($input->get('view') === 'article' && $input->get('layout') === 'pagebreak');
+
+if ($checkCreateEdit)
 {
-	if (!$user->authorise('core.create', 'com_content') && count($user->getAuthorisedCategories('com_content', 'core.create')) == 0 )
+	// Can create in any category (component permission) or at least in one category
+	$canCreateRecords = $user->authorise('core.create', 'com_content')
+	 || count($user->getAuthorisedCategories('com_content', 'core.create')) > 0;
+
+	// Instead of checking edit on all records, we can use **same** check as the form editing view
+	$values = (array) JFactory::getApplication()->getUserState('com_content.edit.article.id');
+	$isEditingRecords = count($values);
+
+	$hasAccess = $canCreateRecords || $isEditingRecords;
+	if (!$hasAccess)
 	{
 		JFactory::getApplication()->enqueueMessage(JText::_('JERROR_ALERTNOAUTHOR'), 'warning');
 

plugins/editors-xtd/article/article.php

@@ -35,6 +35,26 @@ class PlgButtonArticle extends JPlugin
 	 */
 	public function onDisplay($name)
 	{
+		$input = JFactory::getApplication()->input;
+		$user  = JFactory::getUser();
+
+		// Can create in any category (component permission) or at least in one category
+		$canCreateRecords = $user->authorise('core.create', 'com_content')
+			|| count($user->getAuthorisedCategories('com_content', 'core.create')) > 0;
+
+		// Instead of checking edit on all records, we can use **same** check as the form editing view
+		$values = (array) JFactory::getApplication()->getUserState('com_content.edit.article.id');
+		$isEditingRecords = count($values);
+
+		// This ACL check is probably a double-check (form view already performed checks)
+		$hasAccess = $canCreateRecords || $isEditingRecords;
+		if (!$hasAccess)
+		{
+			JFactory::getApplication()->enqueueMessage(JText::_('JERROR_ALERTNOAUTHOR'), 'warning');
+
+			return;
+		}
+
 		$link = 'index.php?option=com_content&view=articles&layout=modal&tmpl=component&'
 			. JSession::getFormToken() . '=1&editor=' . $name;
 

plugins/editors-xtd/pagebreak/pagebreak.php

@@ -35,6 +35,26 @@ class PlgButtonPagebreak extends JPlugin
 	 */
 	public function onDisplay($name)
 	{
+		$input = JFactory::getApplication()->input;
+		$user  = JFactory::getUser();
+
+		// Can create in any category (component permission) or at least in one category
+		$canCreateRecords = $user->authorise('core.create', 'com_content')
+			|| count($user->getAuthorisedCategories('com_content', 'core.create')) > 0;
+
+		// Instead of checking edit on all records, we can use **same** check as the form editing view
+		$values = (array) JFactory::getApplication()->getUserState('com_content.edit.article.id');
+		$isEditingRecords = count($values);
+
+		// This ACL check is probably a double-check (form view already performed checks)
+		$hasAccess = $canCreateRecords || $isEditingRecords;
+		if (!$hasAccess)
+		{
+			JFactory::getApplication()->enqueueMessage(JText::_('JERROR_ALERTNOAUTHOR'), 'warning');
+
+			return;
+		}
+
 		JFactory::getDocument()->addScriptOptions('xtd-pagebreak', array('editor' => $name));
 		$link = 'index.php?option=com_content&view=article&layout=pagebreak&tmpl=component&e_name=' . $name;