New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ACL Permissions Issue #4954
Comments
I can confirm this default Joomla behavior. The visibility/access to component options is controlled by the action "core.admin". The visibility/access to permissions (component, category, article, module, etc..) is controlled by the action "core.admin". Solution 1Solution 1 won't be my preferred option, as there are cases where you want to allow a user group to configure there permissions, also their own group permissions. Also thinking in line of levels like manager/administrator is not the correct approach, forget about that, its Joomla 1.5. Levels above don't necessary mean more possibilities/actions allowed. Solution 2Solution 2 is the only way to go if we want people to allow to configure component options without configuring permissions. A new core action like "core.permissions" for global configuration and components would be a possible solution. A change like this will have impact for sure. |
The more I think about it we need to have a mix of the two solutions We need to allow people to edit to configure component options without configuring permissions We need to prevent someone changing their own ACL permissions. Otherwise what is the point in setting that someone can only Edit Own if they can go in and change it |
I think it would make sense to add a separate check for the permissions. I don't think it makes much sense to restrict to which groups you can set the ACL. If someone can edit ACL, he could do all sort of things anyway. It wouldn't be enough to restrict him from editing his own group. He could create new groups, elevate existing groups (like registered) and use those instead. I'd say just don't give anyone the permission to edit the ACL except the admins. With Solution 2, that would be possible and probably would solve the issue. Or is there a use case where a user needs to be able to edit ACL without having admin permissions on the extension? |
I dont believe you should ever be able to change your own acl setting Note this applies to all components. So I might already deny a user access On 29 October 2014 15:09, Thomas Hunziker notifications@github.com wrote:
Brian Teeman |
I agree with that in theory. Currently, we don't allow an admin to set himself to super admin. Which is the only way he could raise his own permissions any further. |
By the way: Our ACL doesn't allow to set someone allowed for editing ACL/options but restricting him otherwise. It will set all other ACL settings to allowed as well. |
this is the problem. If you allow someone to set options then they can set You cannot do that - that is a big problem On 29 October 2014 15:21, Thomas Hunziker notifications@github.com wrote:
Brian Teeman |
I agree with that fully and I see the use case for that. This is what would be solved with the additonal core.permissions check suggested by Sander in his second solution. |
Have a look at #4975. That should hopefully solve it in a full B/C way. |
Summary
If you have ACL access to Configure. You can change the ACL for yourself and other users at the same level or above. So it is impossible for someone above your level to apply restrictions on your user level AND to still allow you to change Options.
The Problem
Steps to reproduce the issue
Solution 1
Disable the ability to change the ACL for your own level exactly as we disable the ACL for levels above you eg a manager can not change the setting for and administrator
Solution 2 (preferred)
Control the access to ACL separately to Options. This would mean you can restrict a user from changing ACL settings but they can still change Options.
The text was updated successfully, but these errors were encountered: