New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[4.0] [RFC] Viewing access levels inconsistently mixed with create / edit ACL #17913
Comments
The most common usage issue (95%), has been addressed with a hack
Still maybe something better can be done in J4 |
you are confusing access levels and viewing levels. they are two different things |
There is only 1 type, we do not have 2 |
@brianteeman |
Main question to me is how an editor is supposed to check the article (in frontend) if he isn't allowed to see it. Imho it just doesn't make any sense to allow editing an item which you're not allowed to see. You can't have the list based on ACL (edit) checks. You need something which you can query with the database, and calculating edit (and edit.own) rights with all its fallbacks to component/global and category levels just can't be done with SQL. There is a much easier solution to that, just allow those who have to edit the items to actually see it. Eg let them see the "Guest" articles as well when they're logged in. |
That is the most common case, but you can have some sites that need to show content only to specific groups,
besides the above thing i described other issues in my initial posting |
from @chrisdavenport joomla/user-interface-text#11 (comment)
|
Same applies there. You can't have a list based on edit permissions since you can't query that. You would have to load the full list and then do an ACL check on each entry. That's certainly not something you want to do. So your only option is to add another "access" column to the database where you can specify a backend viewlevel, because that is actually what you request. So you can specify different viewlevels for backend and frontend. But as said that just complicates things imho. |
@brianteeman Now nobody reading it should be confused
I guess the mentioned here: is no longer applicable, now they are mixed |
Sorry I just dont agree that anything has changed with the ACL since those docs That will be my last comment |
ok sure this is an RFC
about changes i meant PR like this: |
See comments by 4 other users / contributors here, saying some of the issues mentioned above comments by: by @izharaazmi , @renekreijveld, @Ruud68 e.g. izharaazmi comment
and yes guest level is most common case, but same can apply to other view levels (rare usage cases in some sites) |
There is a simple solution, let this be configurable for backend |
Regardless of how this is implemented, especially for frontend (but maybe for backend too)
the contents for each mode should be different
e.g. at frontend after login e.g. at frontend after login i mean the source of the problem is that these 2 modes are mixed |
The "normal" mode you speak of is view permissions. There should be no concept of a "management" mode that displays different content on a loaded page by way of a different system. Change your existing access levels if you really want to do this and stop relying on the default "Public/Registered/Special/Guest" configuration to just work for every possible use case out of the box. Either way, we need to stop doing stuff like this which effectively bypasses access level group restrictions for super users, or liberally using the same concept to do the same for other core permission levels. |
Set to "closed" on behalf of @jwaisner by The JTracker Application at issues.joomla.org/joomla-cms/17913 |
Closing this as it has been inactive and based on comments not a directional change to be done at this time. This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/17913. |
Steps to reproduce the issue
An article A or a category A or some other record A
-- should be viewable by usergroup A (most common use case is guests)
The above mention article A or a category A or some other record A
-- should be editable by usergroup B (NON-super user)
Expected result
Possible
Actual result
Not possible
And to make it worst it is possible via direct links because
-- e.g the article manager will not list a non-viewable article to non-super admins but if you type the edit link in the browser e.g.
administrator/index.php?option=com_content&task=article.edit&id=2
then you can edit (if of course you have edit ACL on the article)
System information (as much as possible)
All versions
Additional comments
Whey was this done ?
initially viewing access levels were for viewing only,
then in J1.6 / J1.7 it was expensive to calculate edit ACL so access level on article's categories were used as work around for listing articles, and later consideration of access levels of the articles was added too
As mentioned above most common use for having non-viewable articles / records would be articles meant to be shown to guests, but then we need some editors,
so a hack was added
Inconsistencies about the whole thing
another example is the category selector for create articles
Expected (sane) way to populate the selector
The text was updated successfully, but these errors were encountered: