New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
UI fix: user with authorization to create in at least a category can access editor view in menuitems for other categories #17674
UI fix: user with authorization to create in at least a category can access editor view in menuitems for other categories #17674
Conversation
$authorised = $user->authorise('core.create', 'com_content') || count($user->getAuthorisedCategories('com_content', 'core.create')); | ||
if ($this->state->params->get('enable_category') == 1) | ||
{ | ||
$catid = $app->getMenu()->getActive()->params->get('catid'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a reason you are using $app->getMenu()->getActive()->params ?
For consistency you should use the $this->state->params to get 'catid'
e.g. in the line above you are using it to get 'enable_category' which is also a menu item parameter
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No.
Right.
Also i noticed that parameter name is 'Default category'
so "Default category" does not sound like best choice
|
Constrained / Bound category? |
@@ -30,7 +30,7 @@ COM_CONTENT_CONFIG_LIST_SETTINGS_DESC="These settings apply for List Layouts Opt | |||
COM_CONTENT_CONFIGURATION="Articles: Options" | |||
COM_CONTENT_CREATE_ARTICLE_CANCEL_REDIRECT_MENU_DESC="Select the page the user will be redirected to after Canceling article submission. The default is to redirect to the same article submission page (cleaning form)." | |||
COM_CONTENT_CREATE_ARTICLE_CANCEL_REDIRECT_MENU_LABEL="Cancel Redirect" | |||
COM_CONTENT_CREATE_ARTICLE_CATEGORY_LABEL="Default Category" | |||
COM_CONTENT_CREATE_ARTICLE_CATEGORY_LABEL="Constrained Category" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sort alpha order. Swap lines 33 and 34.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oooops. Tks
Constrained is hard to translate. |
This is more an UX fix , that an security fix (e.g. the form display of custom fields of an non-accessible category are revealed), i say UX because, imagine someone spending 10, 20 minutes to fill in the form and then clicking save, to discover that has no access to save the form, some real frustration |
So should I change name to: "UX fix: ..." ? |
Hmm, found a bug, unrelated to this PR. Therefore I suggest to use
as I could not find a way to solve that bug. |
Oh! Thanks. Fixed. There is a way to add client-side field validation to params form field in backend? |
It seems there were problems with drone and appveyor, but I don't find a way to restart them. Is it normal? |
i think we still need to manage properly the issue referenced by @infograf768, your fix just show |
I have tested this item ✅ successfully on 175a328 This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/17674. |
I have made PRs against you patching both places, that 'enable_category' is used components/com_content/views/form/view.html.php now code will work properly even if user has set 'enable_category' to YES and did not select category
fixing is #17708 is now not needed |
Require both parameters in view.html.php
Why is AppVeyor failing? |
I tested it in Jommla! 3.7.4, 3.7.5 and 3.8 beta. This patch works as expected. |
I have tested this item ✅ successfully on ad148a7 This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/17674. |
@alikon can you please retest? |
I have tested this item ✅ successfully on ad148a7 This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/17674. |
Status "Ready To Commit". |
@HLeithner What happens with this PR? |
Something take longer then other, thanks for this PR |
Summary of Changes
Perform an additional authorization check at the category level in com_content edit view file: view.html.php .
This blocks an unauthorized user from accessing the editor in some circumstancies when he does not have "Create" permissions for that category.
Testing Instructions
Create a new User Group: "Manage Category ONE" with 'Public' parent group.
In System / Global Configuration set Permission to allow "Manage Category ONE" group to Login into site.
Create new user 'User1' as member of this group.
Create a new article category "ONE" and set permissions so that "Manage Category ONE" group is allowed to "Create".
Create a new article category "TOP SECRET" and check that "Manage Category ONE" group has no permissions to "Create" in it.
Now create a menuitem, "Create Top Secret", to submit a new article; set Options so that default category "TOP SECRET" is default.
Login as "User1" into frontend and "Create Top Secret".
Expected result
User is not authorized, not having rights to "Create" in "Top Secret" category.
Actual result
User is allowed to enter the editor! He can even browse images folder.
Notes
In J!3.4.4 (and I suppose in some later versions) the user was allowed to save the article!
In J!3.7.5 (I suppose starting from some previous versions) when he clicks on "Save" the operation is blocked with error; this mitigates the problem.
Anyway I think that accessing the editor (though the most dangerous functionalities are disabled) is not a "good thing": the user should be blocked as soon as he tries to access a resource he is not authorized to use, not later, when he tries to close (save) that resource.