Article for registred visible to all

[tonicopi]

Steps to reproduce the issue

1 - Create a menu item pointing to an article for registered users

2 - In the general options of Content set YES on Show Unauthorised Links

3 - Click in the menu item of point 1 without being logged into the site

Expected result

I was expecting a message asking me to register.

Actual result

Instead I read the article, also google can read it then shows it to the world!

System information (as much as possible)

Additional comments

[mbabker]

Did you set the menu item to registered or the article, or both? If it was only the menu item, that'd only change when that part is displayed, so if the article is set to public you need to change that as well.

[tonicopi]

The menu item is public.
I find wrong, seriously wrong, which is visible in this way publicly the content reserved of Article!

[ggppdk]

@tonicopi
There is a detail you have not mentioned,

• does the article contains a read-more ?

If it does then this is normal behavior, it is a feature that can be useful to your web-site, just add the text that you need to be visible to ALL users, before the read-more

In article view

• The (intro) text before the read-more will show as a "Tease" when you enable "Unauthorized links"
• and then if you click on the read more you should get an no access message or a redirect to login register

is the above the case ?

[tonicopi]

NO the article has no Read More

Regards

Tonicopi

Il 24/07/2016 16:42, Georgios Papadakis ha scritto:

@tonicopi https://github.com/tonicopi
There is a detail you have no mention,

• does the article contains a read-more ?

If it does then this is normal behavior, it is a feature that can be
useful to your web-site, just add the text that you need to be
visible to ALL users, before the read-more

In article view

• The (intro) text before the read-more will show as a "Tease" when
  you enable "Unauthorized links"
• and then if you click on the read more you should get an no access
  message or a redirect to login register

is the above the case ?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#11285 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/ATq13wH0L6HL9UXMfAvmJyUl8n2ln-ybks5qY3nfgaJpZM4JTkiK.

[ggppdk]

If you add read-more to it, then does it works as described above ?

[tonicopi]

Yes

Please try the following steps:

1. Create a new "Blog category" menu item and set it as Public
2. Publish an article without a read more and set it as Registered
3. The article will be completely public, without any restriction, if in Articles Global Settings (or if in the options of the blog menu item) the option "Show unauthorized links" is set to yes.

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/11285.}

[jeckodevelopment]

I can confirm. It's an ACL violation.

Steps to reproduce the issue

1. Create a new category and set as Public
2. Create a menu item, Category Blog, pointing to such category.
3. Set (in the menu item options) "Show unauthorized links" on Yes.
4. Create an article (without readmore) and set it as Registered.

Expected result
The article set as Registered shouldn't be visible.

Actual result
You'll be able to see the whole content of the article even if it's for Registered users.

[jeckodevelopment]

If you add a read more in the article, you can see properly the Intro text and it asks for Login/registration to see the complete content.

If you set "Show unauthorized links" to No, the article is not visible.

[ghost]

I can confirm. It's an ACL violation.

I don't think so. If you set "Show unauthorized links" to yes you agree that title and introtext (a field in the database) are shown to everybody. Images, field fulltext and links to the article are not shown.

Otherwise the setting "Show unauthorized links" would be senseless. Changing this behavior would be a B\C break.

If there's no readmore marker inside the article the whole text is saved in database field introtext.

Maybe the description could be more clear?

JGLOBAL_SHOW_UNAUTH_LINKS_DESC="If set to Yes, links to registered content will be shown even if you are not logged-in. You will need to log in to access the full item."

[ggppdk]

If you add a read more in the article, you can see properly the Intro text and it asks for Login/registration to see the complete content.

So is it a requirement that the article has a read more , when "Show unauthorized links" is set to "Yes" ?

Originally this setting was meant for category view to show intro-text (and intro image) of non-privileged content and link to article view with a redirection to login ? , but then

• for SEO purposes
• for making article view to do "teasing"

article view was also modified to show intro image and intro-text , right ??

First, the DB model does well to allow this, (=behaves according to configuration)

So it is not an ACCESS violation, it seems to me that

• either the view (view.html.php) should check this
• or the default template of article view is bogus and shows more that what is supposed to show

[jeckodevelopment]

@bertmert , I agree on Intro Text and other informations.
But i don't agree on the Full text.

[AlexRed]

I confirm the issue

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/11285.}

[ghost]

Joomla works like this at least since Joomla 1.5. Changing it would be a B\C break.

See an example with Joomla 1.5

Article "We are Volunteers":

• Registered.
• Menu Articles » Category / Blog: => Show Unauthorised Links: YES.

Without readmore:

With readmore:

@jeckodevelopment

But i don't agree on the Full text.

There is no fulltext in database if there's no readmore.
There are 2 fields in the DB: introtext and fulltext. If there's no readmore fulltext is empty and the whole text is interpreted as introtext.
If you want to hide the complete text you have to insert a readmore at the beginning of the editor text.

One possibility could be to add a further configuration option "Hide introtext, too" or something. = new feature.

Another one is to handle it via template overrides.

if ($params->get('access-view')) :
 Show text
else :
 Hide text
endif;

[ggppdk]

@bertmert

you show category view, yes, it is like this for a long time

about article view it also seems to be like this a long time, (i checked github history of the template file)
i wrongly believed this feature was added much later

Was there ever a check in article view ?:

if no read-more (thus no full-text too) and no-view-access on article,
then redirect to login regardless of "show unauthorized" ?

[ghost]

Ah, sorry! The opener of this issue talked about article, later on about category blog.

Was there ever a check in article view ?: if no read-more (thus no full-text too), then redirect to login immediately ?

As far as I remember, no. In Joomla 1.5 the single article view was blocked completely. Just a login. Only the blog showed the introtext. Reason is that in 1.5 only menu item had an option "Show Unauthorised Links".

2.5 had only a similiar check like in current staging:
https://github.com/joomla/joomla-cms/blob/staging/components/com_content/views/article/view.html.php#L133-L140

---

Another find: If "Show Unauthorised Links" is YES and "Show Intro Text" is HIDE (in article and a menu pointing to this article) I see this (intro text):

---

If "Show Unauthorised Links" is NO I don't see a login form like in Joomla 1.5

[jeckodevelopment]

@bertmert I know that without readmore there's no FullText, but, I think you can agree that in this case the ACL on the Article will be ignored and this is not right.

[mbabker]

Well, yes and no. The specific configuration allows for it to be bypassed
and IIRC it's a configuration you have to explicitly enable. So that
config may need to be better documented, but from the sounds of things I'm
not entirely convinced we have a bug.

On Sunday, July 24, 2016, Luca Marzo notifications@github.com wrote:

@bertmert https://github.com/bertmert I know that without readmore
there's no FullText, but, I think you can agree that in this case the ACL
on the Article will be ignored and this is not right.

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#11285 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAWfoVJz4by3oi6_GWt1avYDd7rDAyK7ks5qY-bmgaJpZM4JTkiK
.

[jeckodevelopment]

This specific configuration ignore the ACL of the article. If it's not a real issue, it's a "particular behaviour" and we need to document it.

[mbabker]

Right, it's a very explicit circumstance based on configuring another feature. Unless you've got a better way to handle the feature, this particular set of circumstances is a side effect of having it.

[jeckodevelopment]

otherwise we need a check, if the FullText field is empty and the article is set as Registered (or whatever that is not Public) we can show only the title and prompt the login (same behaviour in case of readmore).

[ggppdk]

if the FullText field is empty and the article is set as Registered

ok, if this is added, then yes we check if fulltext is empty

• but then we do not check for registered access , we check for no-access (access-view FLAG is set) and user is guest

Natural place to add this

• should after the IF statement of view HTML, that serves similar purpose, but is incomplete here:

https://github.com/joomla/joomla-cms/blob/staging/components/com_content/views/article/view.html.php#L133-L140

i have made a PR #11290

[brianteeman]

I am closing this as we have a PR for testing see #11290

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/11285.}

[jeckodevelopment]

Thank you @ggppdk :)