Category blog Access #27856
Comments
|
The expected result and the actual result are the same ?? |
|
No the expected result and the actual result is not the same. It doesn't matter what the article setting is set to. The behaviour is the same. Global: No Global: No This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/27856. |
I am referring to the report where the two are the same. It is hard to comment without knowing what you "think" the expected result is supposed to be. @Webdongle If you truly believe this to be a security risk (and I still dont know what you are expecting) then you really should have known better to post a security issue in public |
|
@brianteeman
|
|
The expected behaviour: The Article setting of Yes is used The Article setting of No is used The actual behaviour is as mentioned before: The Article setting of Yes is used The Article setting of No is used The behaviour is the same regardless if the Article setting is Yes or No. This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/27856. |
|
Is this the same issue as #21407 |
|
Looks like but have also spotted that (in featured/category blog) 'Use Article setting' for 'Show Title' is not working either. For some reason the 'Use Article setting' is being ignored and the Global setting is being used instead of the Article setting. Perhaps the code that initiates the 'Use Global' is being used when 'Use Article setting' should be used? This is a security issue as far as the end user is concerned. Sensitive content could inadvertently be displayed to the public. Unlike the other reports .. I am using the Protostar Template |
|
|
|
Surely that refers to security issues that allow exploits. This is not that type of security issue. |
|
ACL violations are security issues in that someone gaining unauthorized read access to parts of the system is an information leak. This exact scenario is the example used in the impact table on https://developer.joomla.org/security.html. Security issues are not isolated to only malicious code exploits. |
|
Done |
After a quick glance it looks like it might be the same issue. As I've mentioned in the thread at the Joomla Forum, the "Use Article Setting" in the Menu settings doesn't make sense from a logic point of view. I found the following comment that might explain why.
From a logical point of view it would make more sens that the the setting at the Global level is inherited to the Menu level and the settings at the Menu level is inherited to the Article level, then the "Use Article Setting" could be omitted. Since the intro of articles, which are restricted to registered users, are shown even when the setting at the Article level of "Show Unauthorised Links" is set to No, which shouldn't be the case. This make me think that the problem might be the SQL query. Unfortunately, I don't know how the system is built, but it would be of interest to see how the SQL query looks. |
Steps to reproduce the issue
set 'Show unauthorised' to Yes
Create Category Blog menu item set 'Show unauthorised' to use Article settings.
Create an Article with a readmore set 'Show unauthorised' to No
Expected result
Viewing from the frontend the The Article intro text should not be shown to non logged in visitors
Actual result
Viewing from the frontend the The Article intro text is shown to non logged in visitors
System information (as much as possible)
Additional comments
With 'Show Title set No in Global and 'Use Article setting' in Category blog menu item ... setting to show in the Article settings has no affect.
It is like the 'Use Article' settings in Category blog Options are not being honoured and defaulting to Global. This is a security risk.
The text was updated successfully, but these errors were encountered: