[5.0] functions allowAdd is looking for filter_category_id that does not exist anymore.

[peter1szalatnay]

Steps to reproduce the issue

Noticed when filtering on category in the articles view and click add on a category were users should not have permission to create an article, they can still do it.

In Joomla 3 the hathor template had all the filter fields hard coded in the template files with filter_category_id, but Joomla 5 is using the filter_articles.xml and the filter name has changed from filter_category_id to category_id.

A quick search in the source for filter_category_id show Banners, Articles and Newsfeeds are affected by the same issue.

1. Create a category and remove create permission from test user
2. In Articles view filter on previously created category
3. Create an Article

Expected result

User should not be able to create an article from a filtered category where they do not have create access.

Actual result

User can create an article in the articles view when category filter is enabled.

System information (as much as possible)

Joomla 5.0

Additional comments

There are more legacy filter code left in article model from hathor template. All the filters in the populateState is not required anymore as there is new code in ListModel to take care of it.

[brianteeman]

I am unable to replicate this. What am I missing?

I created a category (cat1)
I set the create permissions for manager to deny
I created a user (testing) with the level manager so that this user does not have create permission for the category (cat1)
I logged in as that user (testing)

I created a new article and the category select does not show cat1 so I cannot save in cat1

I display the list of articles and filter by the forbidden category (cat1)
I clcik new article and the article edit opens with the category preselected as cat1
I try to save the article - save not permitted

[peter1szalatnay]

It should already fail when you try to add the article, and not allow the edit view.

joomla-cms/administrator/components/com_content/src/Controller/ArticleController.php

Line 143 in be506c0

return $this->app->getIdentity()->authorise('core.create', 'com_content.category.' . $categoryId);

Just remove legacy hathor way of doing things, and move to how it should work.

[brianteeman]

you stated that you can create an article in a category where you do not have permission to do so. I cannot replicate that. I'm not going to waste my time any further

[Flowman]

@brianteeman always an pleasure to deal with you.

Looks like @Hackwar removed the legacy filter #43230

@Hackwar maybe you can add 2 line of code to fix this issue

$filters = $this->input->get('filter', [], 'array');
$categoryId = \array_key_exists('category_id', $filters) ? reset($filters['category_id']) : ArrayHelper::getValue($data, 'catid', null, 'int');

Or just remove the whole thing as the filters can be an array and how do we know for which one to take.

[brianteeman]

Looks like @Hackwar removed the legacy filter #43230

That is proposed for 5.2