try to solve remaining acl problems - initial commit

joomla · Jun 19, 2016 · a9f8c2d · a9f8c2d
1 parent b982eec
commit a9f8c2d
Show file tree

Hide file tree

Showing 3 changed files with 96 additions and 35 deletions.
diff --git a/administrator/components/com_config/model/application.php b/administrator/components/com_config/model/application.php
@@ -577,6 +577,23 @@ public function storePermissions($permission = null)
 
 			$assetId = (int) $this->db->loadResult();
 
+			// Fetch the component asset id.
+			$componentAssetId = null;
+
+			// Global config or component config.
+			if (!empty($permission['component']) && $permission['component'] !== 'root.1' && strpos($permission['component'], '.') !== false)
+			{
+				$assetNameParts = explode('.', $permission['component']);
+
+				// In this case we need to get the component rules too.
+				$query = $this->db->getQuery(true)
+					->select($this->db->quoteName('id'))
+					->from($this->db->quoteName('#__assets'))
+					->where($this->db->quoteName('name') . ' = ' . $this->db->quote($assetNameParts[0]));
+				$this->db->setQuery($query);
+				$componentAssetId = (int) $this->db->loadResult();
+			}
+
 			// Get the group parent id of the current group.
 			$query = $this->db->getQuery(true)
 					->select($this->db->quoteName('parent_id'))
@@ -611,12 +628,13 @@ public function storePermissions($permission = null)
 		$isSuperUserGroupAfter = JAccess::checkGroup($permission['rule'], 'core.admin');
 
 		// Get the rule for just this asset (non-recursive) and get the actual setting for the action for this group.
-		$assetRule = JAccess::getAssetRules($assetId)->allow($permission['action'], $permission['rule']);
+		$assetRule = JAccess::getAssetRules($assetId, false, false)->allow($permission['action'], $permission['rule']);
 
 		// Get the group, group parent id, and group global config recursive calculated permission for the chosen action.
-		$inheritedGroupRule       = JAccess::checkGroup($permission['rule'], $permission['action'], $assetId);
-		$inheritedGroupGlobalRule = JAccess::checkGroup($permission['rule'], $permission['action']);
-		$inheritedParentGroupRule = JAccess::checkGroup($parentGroupId, $permission['action'], $assetId);
+		$inheritedGroupRule          = JAccess::checkGroup($permission['rule'], $permission['action'], $assetId);
+		$inheritedGroupComponentRule = $componentAssetId !== null ? JAccess::checkGroup($permission['rule'], $permission['action'], $componentAssetId) : null;
+		$inheritedGroupGlobalRule    = JAccess::checkGroup($permission['rule'], $permission['action']);
+		$inheritedParentGroupRule    = JAccess::checkGroup($parentGroupId, $permission['action'], $assetId);
 
 		// Current group is a Super User group, so calculated setting is "Allowed (Super User)".
 		if ($isSuperUserGroupAfter)
@@ -668,12 +686,18 @@ public function storePermissions($permission = null)
 				$result['class'] = 'label label-important';
 				$result['text']  = JText::_('JLIB_RULES_NOT_ALLOWED_DEFAULT');
 			}
-			// Component/item root level with explicit "Denied" permission at Global configuration. Calculated permission is "Not Allowed (Locked)".
+			// Component root level with explicit "Denied" permission at Global configuration. Calculated permission is "Not Allowed (Locked)".
 			elseif (empty($parentGroupId) && $isGlobalConfig === false && $inheritedParentGroupRule === null && $inheritedGroupGlobalRule === false)
 			{
 				$result['class'] = 'label label-important';
 				$result['text']  = '<span class="icon-lock icon-white"></span>' . JText::_('JLIB_RULES_NOT_ALLOWED_LOCKED');
 			}
+			// Item root level with explicit "Denied" permission at Global configuration or Component. Calculated permission is "Not Allowed (Locked)".
+			elseif (empty($group->parent_id) && $isGlobalConfig === false && $inheritedParentGroupRule === null && $inheritedGroupComponentRule === false)
+			{
+				$result['class'] = 'label label-important';
+				$result['text']  = '<span class="icon-lock icon-white"></span>' . JText::_('JLIB_RULES_NOT_ALLOWED_LOCKED');
+			}
 			// Some parent group has an explicit "Denied". Calculated permission is "Not Allowed (Locked)".
 			elseif ($inheritedParentGroupRule === false)
 			{

diff --git a/libraries/joomla/access/access.php b/libraries/joomla/access/access.php
@@ -562,12 +562,13 @@ protected static function getGroupPath($groupId)
 	 *
 	 * @param   mixed    $asset      Integer asset id or the name of the asset as a string.
 	 * @param   boolean  $recursive  True to return the rules object with inherited rules.
+	 * @param   boolean  $component  True to calculate the rule also based on component rules.
 	 *
 	 * @return  JAccessRules   JAccessRules object for the asset.
 	 *
 	 * @since   11.1
 	 */
-	public static function getAssetRules($asset, $recursive = false)
+	public static function getAssetRules($asset, $recursive = false, $component = true)
 	{
 		// Get instance of the Profiler:
 		$_PROFILER = JProfiler::getInstance('Application');
@@ -635,7 +636,7 @@ public static function getAssetRules($asset, $recursive = false)
 				->from('#__assets AS a');
 
 			$extensionString = '';
-			if ($extensionName !== $asset || is_numeric($asset))
+			if ($component && ($extensionName !== $asset || is_numeric($asset)))
 			{
 				$extensionString = ' OR a.name = ' . $db->quote($extensionName);
 			}
@@ -681,6 +682,7 @@ public static function getAssetRules($asset, $recursive = false)
 				$result = $db->loadResult();
 				$result = array($result);
 			}
+
 			// Instantiate and return the JAccessRules object for the asset rules.
 			$rules = new JAccessRules;
 			$rules->mergeCollection($result);

diff --git a/libraries/joomla/form/fields/rules.php b/libraries/joomla/form/fields/rules.php
@@ -172,29 +172,54 @@ protected function getInput()
 			}
 		}
 
-		// Get the explicit rules for this asset.
-		if ($section == 'component')
+		// Get the asset id.
+		// Note that for global configuration, com_config injects asset_id = 1 into the form.
+		$assetId          = $this->form->getValue($assetField);
+		$newItem          = false;
+		$componentAssetId = null;
+
+		// Fetch the asset name.
+
+		// Global config or component config.
+		if (empty($component) || $component === 'root.1' || $section === 'component')
+		{
+			$assetName = $component;
+		}
+		// Creating a ACL item, fallback to component ACL.
+		elseif (empty($assetId))
 		{
-			// Need to find the asset id by the name of the component.
+			$assetName = $component;
+
+			// Get the component asset id as fallback.
 			$db = JFactory::getDbo();
 			$query = $db->getQuery(true)
 				->select($db->quoteName('id'))
 				->from($db->quoteName('#__assets'))
-				->where($db->quoteName('name') . ' = ' . $db->quote($component));
+				->where($db->quoteName('name') . ' = ' . $db->quote($assetName));
 			$db->setQuery($query);
 			$assetId = (int) $db->loadResult();
+
+			$newItem = true;
 		}
+		// Editing a ACL item, use the item ACL.
 		else
 		{
-			// Find the asset id of the content.
-			// Note that for global configuration, com_config injects asset_id = 1 into the form.
-			$assetId = $this->form->getValue($assetField);
+			$assetName = $component . '.' . $section . '.' . $assetId;
+
+			// In this case we need to get the component rules too.
+			$db = JFactory::getDbo();
+			$query = $db->getQuery(true)
+				->select($db->quoteName('id'))
+				->from($db->quoteName('#__assets'))
+				->where($db->quoteName('name') . ' = ' . $db->quote($component));
+			$db->setQuery($query);
+			$componentAssetId = (int) $db->loadResult();
 		}
 
 		// Full width format.
 
 		// Get the rules for just this asset (non-recursive).
-		$assetRules = JAccess::getAssetRules($assetId);
+		$assetRules = JAccess::getAssetRules($assetId, false, false);
 
 		// Get the available user groups.
 		$groups = $this->getUserGroups();
@@ -297,14 +322,20 @@ protected function getInput()
 				// Get the actual setting for the action for this group.
 				$assetRule = $assetRules->allow($action->name, $group->value);
 
+				// Get the group, group parent id, and group global config recursive calculated permission for the chosen action.
+				$inheritedGroupRule          = JAccess::checkGroup((int) $group->value, $action->name, $assetId);
+				$inheritedGroupComponentRule = $componentAssetId !== null ? JAccess::checkGroup((int) $group->value, $action->name, $componentAssetId) : null;
+				$inheritedGroupGlobalRule    = JAccess::checkGroup((int) $group->value, $action->name);
+				$inheritedParentGroupRule    = JAccess::checkGroup((int) $group->parent_id, $action->name, $assetId);
+
 				// Build the dropdowns for the permissions sliders
 
 				// The parent group has "Not Set", all children can rightly "Inherit" from that.
-				$html[] = '<option value=""' . ($assetRule === null ? ' selected="selected"' : '') . '>'
+				$html[] = '<option value=""' . ($assetRule === null || $newItem ? ' selected="selected"' : '') . '>'
 					. JText::_(empty($group->parent_id) && empty($component) ? 'JLIB_RULES_NOT_SET' : 'JLIB_RULES_INHERITED') . '</option>';
-				$html[] = '<option value="1"' . ($assetRule === true ? ' selected="selected"' : '') . '>' . JText::_('JLIB_RULES_ALLOWED')
+				$html[] = '<option value="1"' . ($assetRule === true && !$newItem ? ' selected="selected"' : '') . '>' . JText::_('JLIB_RULES_ALLOWED')
 					. '</option>';
-				$html[] = '<option value="0"' . ($assetRule === false ? ' selected="selected"' : '') . '>' . JText::_('JLIB_RULES_DENIED')
+				$html[] = '<option value="0"' . ($assetRule === false && !$newItem ? ' selected="selected"' : '') . '>' . JText::_('JLIB_RULES_DENIED')
 					. '</option>';
 
 				$html[] = '</select>&#160; ';
@@ -317,11 +348,6 @@ protected function getInput()
 
 				$result = array();
 
-				// Get the group, group parent id, and group global config recursive calculated permission for the chosen action.
-				$inheritedGroupRule       = JAccess::checkGroup((int) $group->value, $action->name, $assetId);
-				$inheritedGroupGlobalRule = JAccess::checkGroup((int) $group->value, $action->name);
-				$inheritedParentGroupRule = JAccess::checkGroup((int) $group->parent_id, $action->name, $assetId);
-
 				// Current group is a Super User group, so calculated setting is "Allowed (Super User)".
 				if ($isSuperUserGroup)
 				{
@@ -346,19 +372,22 @@ protected function getInput()
 						$result['text']  = JText::_('JLIB_RULES_ALLOWED_INHERITED');
 					}
 
-					// Second part: Overwrite the calculated permissions labels if there is an explicity permission in the current group.
+					// Second part: Overwrite the calculated permissions labels if there is an explicit permission in the current group.
 
-					// If there is an explicity permission "Not Allowed". Calculated permission is "Not Allowed".
-					if ($assetRule === false)
+					// If there is an explicit permission "Not Allowed". Calculated permission is "Not Allowed".
+					if (!$newItem)
 					{
-						$result['class'] = 'label label-important';
-						$result['text']  = JText::_('JLIB_RULES_NOT_ALLOWED');
-					}
-					// If there is an explicity permission is "Allowed". Calculated permission is "Allowed".
-					elseif ($assetRule === true)
-					{
-						$result['class'] = 'label label-success';
-						$result['text']  = JText::_('JLIB_RULES_ALLOWED');
+						if ($assetRule === false)
+						{
+							$result['class'] = 'label label-important';
+							$result['text']  = JText::_('JLIB_RULES_NOT_ALLOWED');
+						}
+						// If there is an explicit permission is "Allowed". Calculated permission is "Allowed".
+						elseif ($assetRule === true)
+						{
+							$result['class'] = 'label label-success';
+							$result['text']  = JText::_('JLIB_RULES_ALLOWED');
+						}
 					}
 
 					// Third part: Overwrite the calculated permissions labels for special cases.
@@ -372,12 +401,18 @@ protected function getInput()
 						$result['class'] = 'label label-important';
 						$result['text']  = JText::_('JLIB_RULES_NOT_ALLOWED_DEFAULT');
 					}
-					// Component/item root level with explicit "Denied" permission at Global configuration. Calculated permission is "Not Allowed (Locked)".
+					// Component root level with explicit "Denied" permission at Global configuration. Calculated permission is "Not Allowed (Locked)".
 					elseif (empty($group->parent_id) && $isGlobalConfig === false && $inheritedParentGroupRule === null && $inheritedGroupGlobalRule === false)
 					{
 						$result['class'] = 'label label-important';
 						$result['text']  = '<span class="icon-lock icon-white"></span>' . JText::_('JLIB_RULES_NOT_ALLOWED_LOCKED');
 					}
+					// Item root level with explicit "Denied" permission at Global configuration or Component. Calculated permission is "Not Allowed (Locked)".
+					elseif (empty($group->parent_id) && $isGlobalConfig === false && $inheritedParentGroupRule === null && ($inheritedGroupComponentRule === false || ($newItem && $assetRule === false)))
+					{
+						$result['class'] = 'label label-important';
+						$result['text']  = '<span class="icon-lock icon-white"></span>' . JText::_('JLIB_RULES_NOT_ALLOWED_LOCKED');
+					}
 					// Some parent group has an explicit "Denied". Calculated permission is "Not Allowed (Locked)".
 					elseif ($inheritedParentGroupRule === false)
 					{