? Success
Pull Request for # 10212

User tests: Successful: Unsuccessful:

avatar mahagr
mahagr
21 Jun 2016

Pull Request for Issue #10212.

Summary of Changes

By default if user hasn't logged in or the session has timed out, Joomla Administrator attempts to call login view.

Because of the login view only exists for HTML, JSON calls fail with 500 View not found [name, type, prefix]: login, json, loginView error. This is bad as it prevents JavaScript from detecting the missing permissions and reacting properly to the AJAX response.

The best solution in ideal world would be not to call com_login and let the component to handle the error by itself, but because of the changed behaviour would likely cause a huge amount of vulnerabilities in 3rd party components, the second best solution is to emulate components default behaviour when user has no access to it.

My proposal is to throw 403 You are not authorised to view this resource. error instead of 500. This is the default error message when you are logged in but your user doesn't have the proper admin permissions for the given component. This error message is shown in admin regardless of if the view/task exists or not.

In addition to JSON, this change changes behaviour from all non-HTML responses.

More discussion about this issue can be found from Issue #10212.

Testing Instructions

Log out and enter to administrator/index.php?option=com_xxx&format=json (GET or POST). Note that the contents of the URL doesn't matter as com_login intercepts the call.

In unpatched version you will get this error:

500 View not found [name, type, prefix]: login, json, loginView

In patched version the error changes into:

403 You are not authorised to view this resource.

Both errors are handled by default error page and they are in HTML.

Note: Component and view doesn't need to exist as the request gets intercepted by Joomla.

avatar mahagr mahagr - open - 21 Jun 2016
avatar mahagr mahagr - change - 21 Jun 2016
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 21 Jun 2016
Labels Added: ?
avatar brianteeman brianteeman - change - 21 Jun 2016
Rel_Number 0 10212
Relation Type Pull Request for
avatar brianteeman brianteeman - change - 21 Jun 2016
Category Administration
avatar crommie crommie - test_item - 25 Jun 2016 - Tested successfully
avatar crommie
crommie - comment - 25 Jun 2016

I have tested this item successfully on f2ebd73

404 without patch applied, 403 with patch applied


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/10888.

avatar zero-24 zero-24 - test_item - 25 Jun 2016 - Tested successfully
avatar zero-24
zero-24 - comment - 25 Jun 2016

I have tested this item successfully on f2ebd73


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/10888.

avatar zero-24 zero-24 - change - 25 Jun 2016
Status Pending Ready to Commit
avatar zero-24
zero-24 - comment - 25 Jun 2016

RTC


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/10888.

avatar joomla-cms-bot joomla-cms-bot - change - 25 Jun 2016
Labels Added: ?
avatar roland-d roland-d - change - 25 Jun 2016
Milestone Added:
avatar roland-d roland-d - change - 25 Jun 2016
Status Ready to Commit Fixed in Code Base
Closed_Date 0000-00-00 00:00:00 2016-06-25 20:54:15
Closed_By roland-d
avatar roland-d roland-d - close - 25 Jun 2016
avatar roland-d roland-d - merge - 25 Jun 2016
avatar joomla-cms-bot joomla-cms-bot - close - 25 Jun 2016
avatar roland-d roland-d - reference | a65b686 - 25 Jun 16
avatar roland-d roland-d - merge - 25 Jun 2016
avatar roland-d roland-d - close - 25 Jun 2016
avatar joomla-cms-bot joomla-cms-bot - change - 25 Jun 2016
Labels Removed: ?
avatar roland-d
roland-d - comment - 25 Jun 2016

Thanks everybody

avatar mahagr
mahagr - comment - 26 Jun 2016

Thanks! Motivates me to look into contributing other fixes as well. :)

Add a Comment

Login with GitHub to post a comment