-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
User with edit_own permission should be able to load Versions for the item concerned #10836
Conversation
$result->save_date = $table->save_date; | ||
$result->version_note = $table->version_note; | ||
$result->data = ContenthistoryHelper::prepareData($table); | ||
if ($return = true) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is This correct? I gues you mean == or === true?
After applying the patch I can load the versions BUT when I restore a version I am only able to Saveascopy is that correct? This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/10836. |
@zero-24 |
Hmm, nope. We need something more here. |
I have tested this item 🔴 unsuccessfully on 4b41620 This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/10836. |
@brianteeman |
Ah that could be true - testing now On 16 June 2016 at 15:46, infograf768 notifications@github.com wrote:
Brian Teeman |
We anyway have a bug here, as any new version gets its author from the last user who modified it... not from the creator of the original version |
Changed my test to success as the issue I found was when restoring a version from a different author so was the correct behaviour This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/10836. |
This PR has received new commits. CC: @brianteeman This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/10836. |
@infograf768 the "canDo" is calculated by: which does not include check "owner check":
we need to add it along with the ACL check like this:
example of existing code: Also records that have an "owner" / creator
Thus 'core.edit.own' check should be only be added for them Finally, the edit - ACL check is not really needed at all inside the "display" of the view.html.php
https://github.com/joomla/joomla-cms/blob/staging/administrator/components/com_content/controller.php#L42 i don't say to remove the ACL check, just say it is redudant when using edit.php layout [EDIT] ... that explains why your code will work even if you do not add is-owner check, it is a side-effect of the fact that the check was already made ... |
Indeed, banners should be taken off. I have to think over the rest of your comments. |
This PR has received new commits. CC: @brianteeman This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/10836. |
@infograf768 Here is why the check for creator is needed in the view.html.php Copy Then use it with a user that only has edit.own and component access and on a record not owned by the user of course my example below, reveals a limitation (backend only, this problem does not exist in frontend):
|
@ggppdk |
yes, will do today, |
…ory, and also added category form case
@ggppdk |
… (cathes core.edit.own and works regardless of if owner has been changed)
Fixed checking of core.edit.own in views and in models of contenthistory, and also added category form case
This PR has received new commits. CC: @brianteeman This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/10836. |
Thanks @ggppdk Needs new testers now. |
I'm almost on the edge to be able to test it with a downgraded user account as a parent of the Manager group.But the test instructions starting point is from the Registered group. |
@brianteeman |
Thanks for the reminder - will do it shortly |
@infograf768 are the test instructions correct? I get the same as @jsubri This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/10836. |
Please don't be confused by my previous pictures, We are supposed to
Then if you want to test this in more complete way,
then login as submanager1 and edit the owned article and try to use versions button |
but the test instructions says something different to what you say above
|
ok, the important is that the user belongs to proper usergroup(s)
My 3 pictures clearly show such a case Finally if user does not own the record (and only has 'edit.own' but not 'edit') then user must not be able to use versioning
(it is this exact check that this PR was failing in the begining) |
Not being able to code and write awesome PHP scripts like you guys do (big cheer!).. But I think that as soon as a user takes ownership of an article, he/she should be able to even revert to a version of that same article even when it was created by someone else. It may even make things more simple... |
This PR does as you said, |
@ggppdk Then I must be confused by all previous entries in this thread. I am new to the lingua of coders ;) I so much appreciate what you guys are doing.. (not only this thread, but all) More than three cheers!! |
I have tested this item ✅ successfully on 83bbb35 This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/10836. |
I have tested this item ✅ successfully on 83bbb35 This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/10836. |
Rtc This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/10836. |
Pull Request for Issue #10813
Testing Instructions
create a group "authors team" with parent "registered".
administrator interface access allowed:
following permissions for articles:
Configure ACL & Options - Not Allowed.
Configure Options Only - Not Allowed.
Access Administration Interface - Allowed
Create - Allowed
Delete - Not Allowed.
Edit - Not Allowed.
Edit State - Allowed
Edit Own - Allowed
Logging in as a member of "authors team"
Go to articles manager and open an existing article
Create a new article and save
Open the same article.
Before patch, the user has no access to the Versions button and permission is not granted in the com_contenthistory models.
Patch and test on banner, banner client, contact, article, newsfeed