User tests: Successful: Unsuccessful:
Pull Request for Issue #10212.
By default if user hasn't logged in or the session has timed out, Joomla Administrator attempts to call login view.
Because of the login view only exists for HTML, JSON calls fail with 500 View not found [name, type, prefix]: login, json, loginView
error. This is bad as it prevents JavaScript from detecting the missing permissions and reacting properly to the AJAX response.
The best solution in ideal world would be not to call com_login
and let the component to handle the error by itself, but because of the changed behaviour would likely cause a huge amount of vulnerabilities in 3rd party components, the second best solution is to emulate components default behaviour when user has no access to it.
My proposal is to throw 403 You are not authorised to view this resource.
error instead of 500
. This is the default error message when you are logged in but your user doesn't have the proper admin permissions for the given component. This error message is shown in admin regardless of if the view/task exists or not.
In addition to JSON, this change changes behaviour from all non-HTML responses.
More discussion about this issue can be found from Issue #10212.
Log out and enter to administrator/index.php?option=com_xxx&format=json
(GET or POST). Note that the contents of the URL doesn't matter as com_login
intercepts the call.
In unpatched version you will get this error:
500 View not found [name, type, prefix]: login, json, loginView
In patched version the error changes into:
403 You are not authorised to view this resource.
Both errors are handled by default error page and they are in HTML.
Note: Component and view doesn't need to exist as the request gets intercepted by Joomla.
Status | New | ⇒ | Pending |
Labels |
Added:
?
|
Rel_Number | 0 | ⇒ | 10212 |
Relation Type | ⇒ | Pull Request for |
Category | ⇒ | Administration |
I have tested this item
Status | Pending | ⇒ | Ready to Commit |
Labels |
Added:
?
|
Milestone |
Added: |
Status | Ready to Commit | ⇒ | Fixed in Code Base |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2016-06-25 20:54:15 |
Closed_By | ⇒ | roland-d |
Labels |
Removed:
?
|
Thanks everybody
Thanks! Motivates me to look into contributing other fixes as well. :)
I have tested this item✅ successfully on f2ebd73
404 without patch applied, 403 with patch applied
This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/10888.