Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User with edit_own permission should be able to load Versions for the item concerned #10836

Merged
merged 7 commits into from
Jul 16, 2016
Merged

User with edit_own permission should be able to load Versions for the item concerned #10836

merged 7 commits into from
Jul 16, 2016

Conversation

infograf768
Copy link
Member

@infograf768 infograf768 commented Jun 16, 2016
edited by brianteeman

Pull Request for Issue #10813

Testing Instructions

create a group "authors team" with parent "registered".
administrator interface access allowed:

following permissions for articles:
Configure ACL & Options - Not Allowed.
Configure Options Only - Not Allowed.
Access Administration Interface - Allowed
Create - Allowed
Delete - Not Allowed.
Edit - Not Allowed.
Edit State - Allowed
Edit Own - Allowed

Logging in as a member of "authors team"
Go to articles manager and open an existing article
Create a new article and save
Open the same article.

Before patch, the user has no access to the Versions button and permission is not granted in the com_contenthistory models.

Patch and test on banner, banner client, contact, article, newsfeed

@infograf768 infograf768 mentioned this pull request Jun 16, 2016
Closed
zero-24
zero-24 reviewed Jun 16, 2016
View reviewed changes
administrator/components/com_contenthistory/models/preview.php
$result->save_date = $table->save_date;
$result->version_note = $table->version_note;
$result->data = ContenthistoryHelper::prepareData($table);
if ($return = true)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is This correct? I gues you mean == or === true?

@brianteeman
Copy link
Contributor

After applying the patch I can load the versions BUT when I restore a version I am only able to Saveascopy is that correct?
screen shot 2016-06-16 at 08 34 59

This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/10836.

@infograf768
Copy link
Member Author

@zero-24
= chnaged to ==

@infograf768
Copy link
Member Author

After applying the patch I can load the versions BUT when I restore a version I am only able to Saveascopy is that correct?

Hmm, nope. We need something more here.

@brianteeman
Copy link
Contributor

I have tested this item 🔴 unsuccessfully on 4b41620

This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/10836.

@infograf768
Copy link
Member Author

@brianteeman
It looks lile I do not get the same results. It works here.
It breaks (ir rather does not show the Save button) if the user tries to restore a version which has been made by another user, i.e I am user jms and I try to restore a version made by Super User (see below).
Can you test again?
screen shot 2016-06-16 at 16 45 21

@brianteeman
Copy link
Contributor

Ah that could be true - testing now

On 16 June 2016 at 15:46, infograf768 notifications@github.com wrote:

@brianteeman https://github.com/brianteeman
It looks lile I do not get the same results. It works here.
It breaks (ir rather does not show the Save button) if the user tries to
restore a version which has been made by another user, i.e I am user jms
and I try to restore a version made by Super User (see below).
Can you test again?
[image: screen shot 2016-06-16 at 16 45 21]
https://cloud.githubusercontent.com/assets/869724/16121004/ccb19a1c-33e1-11e6-81a1-da5a2c2d81b5.png


You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#10836 (comment),
or mute the thread
https://github.com/notifications/unsubscribe/ABPH8bhe7hlb1bbGuPDrR9IPprbA9oSzks5qMWHcgaJpZM4I3Xy0
.

Brian Teeman
Co-founder Joomla! and OpenSourceMatters Inc.
http://brian.teeman.net/

@infograf768
Copy link
Member Author

We anyway have a bug here, as any new version gets its author from the last user who modified it... not from the creator of the original version

@brianteeman
Copy link
Contributor

Changed my test to success as the issue I found was when restoring a version from a different author so was the correct behaviour

This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/10836.

@joomla-cms-bot
Copy link

This PR has received new commits.

CC: @brianteeman

This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/10836.

@ggppdk
Copy link
Contributor

ggppdk commented Jun 16, 2016
edited

@infograf768
3 comments

the "canDo" is calculated by:
JHelperContent::getActions()

which does not include check "owner check":

$user       = JFactory::getUser();
$userId     = $user->id;
...
 && $this->item->created_by == $userId

we need to add it along with the ACL check like this:

if ($canDo->get('core.edit') || ($canDo->get('core.edit.own') && $this->item->created_by == $userId))

example of existing code:
https://github.com/joomla/joomla-cms/blob/staging/administrator/components/com_content/views/article/view.html.php#L108

Also records that have an "owner" / creator
are:

  • category
  • article
  • contact
  • tag

Thus 'core.edit.own' check should be only be added for them

Finally, the edit - ACL check is not really needed at all inside the "display" of the view.html.php

  • that is both and edit and edit.own were checked by the controller before we reach the display() of the view, if the user does not have create / edit then form will not open

https://github.com/joomla/joomla-cms/blob/staging/administrator/components/com_content/controller.php#L42
... but then it only checks for "layout==edit" ... e.g. it will not check ... "layout==edit2"

i don't say to remove the ACL check, just say it is redudant when using edit.php layout

[EDIT]
When an edit form succeds in opening because of 'core.edit.own' (not having core.edit on the asset)
then the check:
$this->item->created_by == $userId
has been already made

... that explains why your code will work even if you do not add is-owner check, it is a side-effect of the fact that the check was already made ...

@infograf768
Copy link
Member Author

Also records that have an "owner" / creator
are:

category
article
contact
tag

Thus 'core.edit.own' check should be only be added for them

Indeed, banners should be taken off.
But Newsfeeds has an Edit Own Permission

I have to think over the rest of your comments.

@joomla-cms-bot
Copy link

This PR has received new commits.

CC: @brianteeman

This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/10836.

@ggppdk
Copy link
Contributor

ggppdk commented Jun 17, 2016
edited

@infograf768
I know you have not found yet time to look at my other comments, i am posting again just to explain my comment

Here is why the check for creator is needed in the view.html.php

Copy
administrator/components/com_content/views/article/tmpl/edit.php
as
administrator/components/com_content/views/article/tmpl/edit2.php

Then use it with a user that only has edit.own and component access and on a record not owned by the user

of course my example below, reveals a limitation (backend only, this problem does not exist in frontend):

  • that currently you cannot create custom backend edit layouts and also limit access to them: they are not saveable, but they do open on direct access

step1
step2
step3

@infograf768
Copy link
Member Author

@ggppdk
Can you propose a PR against my branch?

@ggppdk
Copy link
Contributor

ggppdk commented Jun 18, 2016

yes, will do today,
for view.html.php files is little work, for the content history models will need some searching

@infograf768
Copy link
Member Author

@ggppdk
Will test asap infograf768#35

ggppdk and others added 2 commits June 22, 2016 11:45
@ggppdk
Fixed content history models to check session as fallback for canEdit…
f2cb8e5 
… (cathes core.edit.own and works regardless of if owner has been changed)
@infograf768
Merge pull request #35 from ggppdk/version_edit_own
83bbb35 
Fixed checking of core.edit.own in views and in models of contenthistory, and also added category form case
@joomla-cms-bot
Copy link

This PR has received new commits.

CC: @brianteeman

This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/10836.

@infograf768
Copy link
Member Author

Thanks @ggppdk
I merged your PR.

Needs new testers now.

@infograf768 infograf768 mentioned this pull request Jul 2, 2016
Merged
@jsubri
Copy link
Contributor

jsubri commented Jul 4, 2016

I'm almost on the edge to be able to test it with a downgraded user account as a parent of the Manager group.But the test instructions starting point is from the Registered group.
As a parent of the Registered group, I can't get the top menus and the usual buttons "New, Edit, Save..." displayed for "Registered" nor "authors team", see below.
capture
Any hints is welcome, probably tired! @pieter-groeneweg

@infograf768
Copy link
Member Author

@brianteeman
Can you retest this please?

@brianteeman
Copy link
Contributor

Thanks for the reminder - will do it shortly

@brianteeman
Copy link
Contributor

@infograf768 are the test instructions correct? I get the same as @jsubri

This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/10836.

@ggppdk
Copy link
Contributor

ggppdk commented Jul 6, 2016

Please don't be confused by my previous pictures,
they were there to prove that the ACL check needed fixing, and it should now be fixed

We are supposed to

  • configure a usergroup that is denied the edit ACL privilege, but is granted edit.own
  • then edit an article that is owned by the user

subman

subman2

subman3

Then if you want to test this in more complete way,

  • re-allow "edit.own" in Global config for the SubManager usergroup
  • and edit article's category e.g. "Sample Data Articles" as super user, and deny edit.own for the usergroup "Sub Manager1" for this category

then login as submanager1 and edit the owned article and try to use versions button

@brianteeman
Copy link
Contributor

but the test instructions says something different to what you say above

create a group "authors team" with parent "registered".

@ggppdk
Copy link
Contributor

ggppdk commented Jul 6, 2016
edited

ok, the important is that the user belongs to proper usergroup(s)

  • so that user is denied "edit" but has "edit.own" on the record (article, etc)
  • and also that user "owns" the record

My 3 pictures clearly show such a case

Finally if user does not own the record (and only has 'edit.own' but not 'edit') then user must not be able to use versioning

  • if you copy paste any contenthistory related URLs in the browser and you modify the 'item_id' then you should get "you are not authorised to view this resource"

(it is this exact check that this PR was failing in the begining)

subman4

@pieter-groeneweg
Copy link

pieter-groeneweg commented Jul 7, 2016
edited

Not being able to code and write awesome PHP scripts like you guys do (big cheer!)..

But I think that as soon as a user takes ownership of an article, he/she should be able to even revert to a version of that same article even when it was created by someone else.
As I see it, the one who became owner as the last one, is the "king".

It may even make things more simple...

@ggppdk
Copy link
Contributor

ggppdk commented Jul 7, 2016

But I think that as soon as a user takes ownership of an article, he/she should be able to even revert to a version of that same article even when it was created by someone else.

This PR does as you said,
the edit.own is calculated on the current record owner

@pieter-groeneweg
Copy link

@ggppdk Then I must be confused by all previous entries in this thread. I am new to the lingua of coders ;)

I so much appreciate what you guys are doing.. (not only this thread, but all) More than three cheers!!

@jsubri
Copy link
Contributor

jsubri commented Jul 8, 2016

I have tested this item ✅ successfully on 83bbb35

I've used a downgraded user account as a parent from the Manager group.
I confirm the issue.
The patch solve the "Versions" button not displayed with edit.own, the Versions button appears after the initial save
I've tested other users from the same group, they need to have "Edit" at the Category level to be able to edit that article and Versions still works fine for them.

This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/10836.

@hardiktailored
Copy link

I have tested this item ✅ successfully on 83bbb35

Versions button was not displayed before even when sub-manager permission set to Edit: Denied and Edit Own: Allowed; after applying patch, button displays and version change works.

This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/10836.

@brianteeman
Copy link
Contributor

Rtc

This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/10836.

@joomla-cms-bot joomla-cms-bot added the RTC This Pull Request is Ready To Commit label Jul 14, 2016
@brianteeman brianteeman added this to the Joomla 3.6.1 milestone Jul 14, 2016
@roland-d roland-d merged commit c1fc030 into joomla:staging Jul 16, 2016
@joomla-cms-bot joomla-cms-bot removed the RTC This Pull Request is Ready To Commit label Jul 16, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Joomla 3.6.1
Development

Successfully merging this pull request may close these issues.

None yet
9 participants
@infograf768 @brianteeman @joomla-cms-bot @ggppdk @jsubri @pieter-groeneweg @hardiktailored @zero-24 @roland-d