-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix ACL checks for pagebreak, articles com_content layouts (and their editor XTD buttons) blocking legitimate editors #17854
Merged
Merged
Changes from 13 commits
Commits
Show all changes
14 commits
Select commit
Hold shift + click to select a range
07d25fa
Merge remote-tracking branch 'upstream/staging' into staging
LivioCavallo 5ee5787
Merge branch 'staging' into upstream/staging
LivioCavallo 90f2756
Merge remote-tracking branch 'upstream/staging' into staging
LivioCavallo 0ac50d1
Merge branch 'staging' into upstream/staging
LivioCavallo 49444b4
Merge remote-tracking branch 'upstream/staging' into staging
LivioCavallo 043f017
Merge remote-tracking branch 'upstream/staging' into staging
LivioCavallo d8b5721
Merge remote-tracking branch 'upstream/staging' into staging
LivioCavallo eb9ce94
Merge remote-tracking branch 'upstream/staging' into staging
LivioCavallo cbff398
Merge remote-tracking branch 'upstream/staging' into staging
LivioCavallo c855a9b
removed unnecessary ACL checks (pagebreak, article XTD btns & content)
LivioCavallo 86b11f1
ACL check for articles modal view
LivioCavallo 07feb5a
fix typo
LivioCavallo 9fc47ce
fixed edit permission chk and added ACL chks in btns
LivioCavallo 9b44db6
cleaned messages
LivioCavallo File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -35,24 +35,37 @@ class PlgButtonPagebreak extends JPlugin | |
*/ | ||
public function onDisplay($name) | ||
{ | ||
$input = JFactory::getApplication()->input; | ||
$user = JFactory::getUser(); | ||
|
||
if ($user->authorise('core.create', 'com_content') | ||
|| $user->authorise('core.edit', 'com_content') | ||
|| $user->authorise('core.edit.own', 'com_content')) | ||
// Can create in any category (component permission) or at least in one category | ||
$canCreateRecords = $user->authorise('core.create', 'com_content') | ||
|| count($user->getAuthorisedCategories('com_content', 'core.create')) > 0; | ||
|
||
// Instead of checking edit on all records, we can use **same** check as the form editing view | ||
$values = (array) JFactory::getApplication()->getUserState('com_content.edit.article.id'); | ||
$isEditingRecords = count($values); | ||
|
||
// This ACL check is probably a double-check (form view already performed checks) | ||
$hasAccess = $canCreateRecords || $isEditingRecords; | ||
if (!$hasAccess) | ||
{ | ||
JFactory::getDocument()->addScriptOptions('xtd-pagebreak', array('editor' => $name)); | ||
$link = 'index.php?option=com_content&view=article&layout=pagebreak&tmpl=component&e_name=' . $name; | ||
|
||
$button = new JObject; | ||
$button->modal = true; | ||
$button->class = 'btn'; | ||
$button->link = $link; | ||
$button->text = JText::_('PLG_EDITORSXTD_PAGEBREAK_BUTTON_PAGEBREAK'); | ||
$button->name = 'copy'; | ||
$button->options = "{handler: 'iframe', size: {x: 500, y: 300}}"; | ||
|
||
return $button; | ||
JFactory::getApplication()->enqueueMessage(JText::_('JERROR_ALERTNOAUTHOR'), 'warning'); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Same here, this message should be removed, only execute return |
||
|
||
return; | ||
} | ||
|
||
JFactory::getDocument()->addScriptOptions('xtd-pagebreak', array('editor' => $name)); | ||
$link = 'index.php?option=com_content&view=article&layout=pagebreak&tmpl=component&e_name=' . $name; | ||
|
||
$button = new JObject; | ||
$button->modal = true; | ||
$button->class = 'btn'; | ||
$button->link = $link; | ||
$button->text = JText::_('PLG_EDITORSXTD_PAGEBREAK_BUTTON_PAGEBREAK'); | ||
$button->name = 'copy'; | ||
$button->options = "{handler: 'iframe', size: {x: 500, y: 300}}"; | ||
|
||
return $button; | ||
} | ||
} |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please do not enqueue a messsage here, only execute return
Enqueueing a no access message should only be added when viewing the layout