Extra ACL checks (yay) #11244
Extra ACL checks (yay) #11244
Conversation
| @@ -503,9 +503,17 @@ protected function getReorderConditions($table) | |||
| */ | |||
| protected function preprocessForm(JForm $form, $data, $group = 'content') | |||
| { | |||
| // Check if article is associated | |||
| $canCreateCategories = JFactory::getUser()->authorise('core.create', 'com_newsfeeds'); | |||
There was a problem hiding this comment.
Should/Does core.create on item also grants the permission to create categories for them?
There was a problem hiding this comment.
@izharaazmi go to Article -> Categories and click Options, what you see is the com_content permissions.
Same goes for all of the components with categories.
The question is if the user is allowed to create category items in the com_newsfeeds component.
So, correct. core.create - com_newsfeeds.
|
Why: |
| * | ||
| * @return void | ||
| * | ||
| * @since 3.0 |
| */ | ||
| protected function preprocessForm(JForm $form, $data, $group = 'content') | ||
| { | ||
| // Determine correct permissions to check. | ||
| if ($this->getState('contact.id')) |
There was a problem hiding this comment.
This check is in all the other components - but missing from contacts so added this as well for consistency
|
Because I fail at copy/pasting code JM :) Fixed! |
|
I though core.create - com_xyz tells us whether the user is allowed to create item in com_xyz. But here I see the same permission is used to check whether if he is allowed to create categories for com_xyz items. So how do we handle the practical case when the site admin has predefined set of categories and wants the authors to only create articles in those categories and NOT allow creating new categories. Am I missing on something? |
|
Is that case handled at the moment in category creation? |
|
I'm not sure if this is possible in Joomla yet. I never did the site management so never had to go through that process. I just assumed it to be there because I believe this is so basic need, isn't it? |
since, for what i know, you're the first to ask doesn't seem a |
|
Just to clarify my doubts. |
|
If they have ACL permission to create items they can create items. It's on the site admin to review that stuff, there isn't a way to programmatically state "my site is medical science so raise a red flag if someone starts creating art related content on the site".
Leave |
|
Thanks @mbabker. Now I can see what I was seeking for is not yet possible in Joomla.
However, it is still desirable to avoid allowing create everything in a component (or item ACL) based on a single rule Similarly, in com_users we (super administrator) may not want to allow an administrator/manager to create user groups or access level and still allow to create new users. Currently what I understand is we can't. Wouldn't it be nice as something in the line of:
|
No. I personally think bloating Joomla with permissions (i.e. At the end of the day, the current ACL is just fine, even with its known limitations, as a working starting point and generalized solution (because that's ultimately what the CMS application is, a compromise of a bunch of high level generalized solutions which aren't really optimized for anything) and the API should be strong enough to let folks extend it with additional custom rulesets if they really need a more fine tuned control set. |
|
Hmm... I understand the situation here. Agree to you. Now as an expert advice would you please tell me whether I'm doing it right if I use following rules for my own extensions, or there are known better alternatives? core.create = create everything. and similar for delete, edit, state etc. |
|
That'd be the way to go about it, you'd just have to deal with the different possibilities that come out of that config set (i.e. if core.create is set to explicit deny following core's structure the component options should also be deny, or if you've allowed core.create but explicit denied one of the component options, things like that). |
|
Thanks again @mbabker. I appreciate the time and effort taken to explain the whole thing. |
| */ | ||
| protected function preprocessForm(JForm $form, $data, $group = 'content') | ||
| { | ||
| // Check if article is associated |
There was a problem hiding this comment.
This got removed in the subsequent commit 5 hours ago :P
|
@wilsonge you have to add the ACL check to the saving process, too: and/or https://github.com/wilsonge/joomla-cms/blob/6d3d1293d88eed23528ef2193a5846215d6b8f38/administrator/components/com_content/models/article.php#L508-L519 (and the other components) |
|
@bembelimen Checks added to save method - sorry for the delay in adding them in and nice spot! |
|
I have tested this item ✅ successfully on 0e7d0f8 This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/11244. |
|
I have tested this item ✅ successfully on 0e7d0f8 This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/11244. |
|
Thanks! Merging my own PR so I can get an RC2 out |
|
i guess similar patch is necessary for webkinks. |
* Extra ACL checks (yay) * Fix comments + since * Add checks into save method
Pull Request for Issue #11162 .
Summary of Changes
Adds bonus ACL checks for the categories on the fly
Testing Instructions
Before Patch:
After Patch: