Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#10764] - Fixed users with permissions not allowed to change ACL

? Success

User tests: Successful: Unsuccessful:

avatar roland-d
roland-d
9 Jun 2016

Related to #10763

Summary of Changes

A user with permission to make ACL changes is denied access because the check is incomplete. The user that is part of the Administrator group or a child thereof can login and edit the permissions in Articles for example. However when this user tries that the access is denied because the access check is only done on the global level, not on the actual component level.

Testing Instructions

  1. Login with a user that is part of the Administrator or subgroup of this
  2. Go to Content -> Articles
  3. Click on the Options button
  4. Click on the Permission tab
  5. Try to change a permission, there will be no visible answer from the server (unless #10763 is applied)
  6. Apply the patch
  7. Change a permission
  8. The permission is now changed

A little help from my friends @andrepereiradasilva and @infograf768

avatar roland-d roland-d - open - 9 Jun 2016
avatar roland-d roland-d - change - 9 Jun 2016
Status New Pending
avatar roland-d roland-d - change - 9 Jun 2016
Milestone Added:
avatar joomla-cms-bot joomla-cms-bot - change - 9 Jun 2016
Labels Added: ?
avatar infograf768
infograf768 - comment - 9 Jun 2016

@roland-d
Although this works fine, it lets a user change the permissions of his own group.

avatar infograf768
infograf768 - comment - 9 Jun 2016

It also lets a user change the permissions of his parent group.

avatar brianteeman brianteeman - change - 9 Jun 2016
Category ACL
avatar infograf768 infograf768 - change - 9 Jun 2016
Priority Medium Critical
avatar brianteeman
brianteeman - comment - 10 Jun 2016

@infograf768 I think a user should be able to change permissions of their own group ONLY if it is to a more restrictive setting but definitely not to give them access to something that was previously denied. They definitely should not be able to change permissions of parents - that would defeat the objective of an ACL system.

This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/10764.

avatar infograf768
infograf768 - comment - 10 Jun 2016

@brianteeman

I think a user should be able to change permissions of their own group ONLY if it is to a more restrictive setting but definitely not to give them access to something that was previously denied.

If you have multiple users in the same group, one of these could decide of a change that would apply not only to himself but all members of that group. This should only imho be the privilege of the Parent Group (With ACL access) or superuser.

We also have another bug which is a security problem and I will create an issue for it:

A member of a subgroup of administrator (with access to user manager) with less permissions than the administrator group can make himself administrator when editing himself in Users Manage....
See #10775

avatar infograf768
infograf768 - comment - 10 Jun 2016

I will propose a patch.

avatar infograf768
infograf768 - comment - 10 Jun 2016

@brianteeman
Can you set this one as release blocker? At least until it is completed or replaced by andrepereiradasilva#53 which would anyway also be a release blocker until completed.

avatar andrepereiradasilva
andrepereiradasilva - comment - 11 Jun 2016

@roland-d this should also be solved in #10793

avatar infograf768
infograf768 - comment - 12 Jun 2016

@roland-d
I suggest to close this one in favour of #10793 (which needs tests) ????

avatar roland-d roland-d - change - 12 Jun 2016
Status Pending Closed
Closed_Date 0000-00-00 00:00:00 2016-06-12 07:55:45
Closed_By roland-d
avatar roland-d roland-d - close - 12 Jun 2016

Add a Comment

Login with GitHub to post a comment