Fixed frontend module editing permissions. #30778
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Version: Joomla! 3.x
In #6113, the permission check for editing a module in frontend was checked from "return error if user is not allowed to edit this module OR if user is not allowed to edit any module" to "return error if user is not allowed to edit this module AND if user is not allowed to edit any module". The intention was to allow users to edit a single module even if they are lacking the general permission to edit modules in frontend.
However, this introduces a problem for the inverse case: A user that generally may edit frontend modules, but should not be allowed to edit one particular module. For this case, the "OR" construction worked and the "AND" doesn't.
Summary of Changes
I suggest to get rid of the check of the general permission. If there are no permission rules for the particular module, Joomla's ACL has an automatic fallback to the general permissions for frontend module editing. So I don't see any need to check both rules. Please correct me if I'm mistaken!
Testing Instructions
For the frontend steps, you need a user who is no "Super Administrator", but in another user group, for example "Administrator". For the backend steps, use your "Super Administrator" account or at least an account who has the permissions to edit permissions.
Actual result BEFORE applying this Pull Request
Although you shouldn't be allowed to do this, you can edit the module in step 8.
Expected result AFTER applying this Pull Request
Step 8 should result in a "You are not allowed to view this resource" error. All other steps should still work like before (e.g. follow the ACL permissions).
Documentation Changes Required
None