Fix ACL checks for pagebreak, articles com_content layouts (and their editor XTD buttons) blocking legitimate editors

components/com_content/content.php

@@ -16,18 +16,21 @@
 $input = JFactory::getApplication()->input;
 $user  = JFactory::getUser();
 
-if ($input->get('view') === 'article' && $input->get('layout') === 'pagebreak')
-{
-	if (!$user->authorise('core.create', 'com_content'))
-	{
-		JFactory::getApplication()->enqueueMessage(JText::_('JERROR_ALERTNOAUTHOR'), 'warning');
+$checkCreateEdit = ($input->get('view') === 'articles' && $input->get('layout') === 'modal')
+	|| ($input->get('view') === 'article' && $input->get('layout') === 'pagebreak');
 
-		return;
-	}
-}
-elseif ($input->get('view') === 'articles' && $input->get('layout') === 'modal')
+if ($checkCreateEdit)
 {
-	if (!$user->authorise('core.create', 'com_content'))
+	// Can create in any category (component permission) or at least in one category
+	$canCreateRecords = $user->authorise('core.create', 'com_content')
+	 || count($user->getAuthorisedCategories('com_content', 'core.create')) > 0;
+
+	// Instead of checking edit on all records, we can use **same** check as the form editing view
+	$values = (array) JFactory::getApplication()->getUserState('com_content.edit.article.id');
+	$isEditingRecords = count($values);
+
+	$hasAccess = $canCreateRecords || $isEditingRecords;
+	if (!$hasAccess)
 	{
 		JFactory::getApplication()->enqueueMessage(JText::_('JERROR_ALERTNOAUTHOR'), 'warning');
 

plugins/editors-xtd/article/article.php

@@ -35,25 +35,37 @@ class PlgButtonArticle extends JPlugin
 	 */
 	public function onDisplay($name)
 	{
-
+		$input = JFactory::getApplication()->input;
 		$user  = JFactory::getUser();
 
-		if ($user->authorise('core.create', 'com_content')
-			|| $user->authorise('core.edit', 'com_content')
-			|| $user->authorise('core.edit.own', 'com_content'))
+		// Can create in any category (component permission) or at least in one category
+		$canCreateRecords = $user->authorise('core.create', 'com_content')
+			|| count($user->getAuthorisedCategories('com_content', 'core.create')) > 0;
+
+		// Instead of checking edit on all records, we can use **same** check as the form editing view
+		$values = (array) JFactory::getApplication()->getUserState('com_content.edit.article.id');
+		$isEditingRecords = count($values);
+
+		// This ACL check is probably a double-check (form view already performed checks)
+		$hasAccess = $canCreateRecords || $isEditingRecords;
+		if (!$hasAccess)
 		{
-			$link = 'index.php?option=com_content&view=articles&layout=modal&tmpl=component&'
-				. JSession::getFormToken() . '=1&editor=' . $name;
+			JFactory::getApplication()->enqueueMessage(JText::_('JERROR_ALERTNOAUTHOR'), 'warning');
 
-			$button = new JObject;
-			$button->modal   = true;
-			$button->class   = 'btn';
-			$button->link    = $link;
-			$button->text    = JText::_('PLG_ARTICLE_BUTTON_ARTICLE');
-			$button->name    = 'file-add';
-			$button->options = "{handler: 'iframe', size: {x: 800, y: 500}}";
+			return;
+		}
+
+		$link = 'index.php?option=com_content&view=articles&layout=modal&tmpl=component&'
+			. JSession::getFormToken() . '=1&editor=' . $name;
+
+		$button = new JObject;
+		$button->modal   = true;
+		$button->class   = 'btn';
+		$button->link    = $link;
+		$button->text    = JText::_('PLG_ARTICLE_BUTTON_ARTICLE');
+		$button->name    = 'file-add';
+		$button->options = "{handler: 'iframe', size: {x: 800, y: 500}}";
 
 		return $button;
-		}
 	}
 }

plugins/editors-xtd/pagebreak/pagebreak.php

@@ -35,24 +35,37 @@ class PlgButtonPagebreak extends JPlugin
 	 */
 	public function onDisplay($name)
 	{
+		$input = JFactory::getApplication()->input;
 		$user  = JFactory::getUser();
 
-		if ($user->authorise('core.create', 'com_content')
-			|| $user->authorise('core.edit', 'com_content')
-			|| $user->authorise('core.edit.own', 'com_content'))
+		// Can create in any category (component permission) or at least in one category
+		$canCreateRecords = $user->authorise('core.create', 'com_content')
+			|| count($user->getAuthorisedCategories('com_content', 'core.create')) > 0;
+
+		// Instead of checking edit on all records, we can use **same** check as the form editing view
+		$values = (array) JFactory::getApplication()->getUserState('com_content.edit.article.id');
+		$isEditingRecords = count($values);
+
+		// This ACL check is probably a double-check (form view already performed checks)
+		$hasAccess = $canCreateRecords || $isEditingRecords;
+		if (!$hasAccess)
 		{
-			JFactory::getDocument()->addScriptOptions('xtd-pagebreak', array('editor' => $name));
-			$link = 'index.php?option=com_content&view=article&layout=pagebreak&tmpl=component&e_name=' . $name;
-
-			$button          = new JObject;
-			$button->modal   = true;
-			$button->class   = 'btn';
-			$button->link    = $link;
-			$button->text    = JText::_('PLG_EDITORSXTD_PAGEBREAK_BUTTON_PAGEBREAK');
-			$button->name    = 'copy';
-			$button->options = "{handler: 'iframe', size: {x: 500, y: 300}}";
-
-			return $button;
+			JFactory::getApplication()->enqueueMessage(JText::_('JERROR_ALERTNOAUTHOR'), 'warning');
+
+			return;
 		}
+
+		JFactory::getDocument()->addScriptOptions('xtd-pagebreak', array('editor' => $name));
+		$link = 'index.php?option=com_content&view=article&layout=pagebreak&tmpl=component&e_name=' . $name;
+
+		$button          = new JObject;
+		$button->modal   = true;
+		$button->class   = 'btn';
+		$button->link    = $link;
+		$button->text    = JText::_('PLG_EDITORSXTD_PAGEBREAK_BUTTON_PAGEBREAK');
+		$button->name    = 'copy';
+		$button->options = "{handler: 'iframe', size: {x: 500, y: 300}}";
+
+		return $button;
 	}
 }