[#11211] - [ACL] Don't allow to create tags if user is not allowed to do it
- Fixed in Code Base
- 30 Jul 2016
- Medium
- Build: staging
- # 11211
- Diff
- andrepereiradasilva:patch-16
- Success continuous-integration/travis-ci/pr The Travis CI build passed Details
- Success JTracker/HumanTestResults Human Test Results: 2 Successful 0 Failed. Details
User tests: Successful: Unsuccessful:
Pull Request for Issue #11154.
Summary of Changes
Add com_tags core.create ACL check in tags fields.
Testing Instructions
- Use latest staging
- Create a user that is not allowed to create tags. "Denied" in create com_tags permissions.
Login with that user and try to edit an article and try to add a new tag. You can.
Apply patch
- Repeat the same steps, you CAN'T create tags.
- Now change the permission to "Allowed" in create com_tags permissions.
- Repeat the same steps, you CAN create tags.
- Do a code review
Note: try in the frontend and backend
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Labels |
Added:
?
|
||
@ggppdk did you test?
In the frontend new article view (you can create a menu item of new article tipe to go to that form) you have the ability to select/create tags.
But if the user does not have permissions to create tags how can it be allowed to create tags?
The user can still select existing tags.
This PR only solves that
Please test
i am sorry, i think miss-read the original issue report, thinking he meant tag assigments and tag creation both
the user is still able to create and send successful completion of the article with the tags added.
and i thought you wanted to prevent tag assignments, my mistake, but i see that the title of the issue is more clear
tested, yes, you are right it works (almost)
- but there is no server side validation
if someone manipulates the select element then can still create tags , since you would need to also add server side validation (i can still create tags by editing the select element directly) and adding:
<option value="#new#form_tampered2" selected="selected">form_tampered2</option>
so this PR works but needs 1 more server side check
probably in (or in methods calling it):
JHelperTags::createTagsFromField()
Maybe the server side check should not be in:
JHelperTags::createTagsFromField()
- some code maybe passing to tags helper object method non sumbitted data thus that code woud be prevented from working
check should be at the same place where $form->validate() is called ?
libraries\legacy\controller\form.php
anyway someone should say best place for this,
still most easy and quick thing is to put check in:
JHelperTags::createTagsFromField()
ok, so i added server side validation. please test.
also, i don' t know the tags component very well, so please check if everything seems ok.
Sure will test tomorrow, someone else may test too by then,
also why not update display() of view.html.php for backend form too ?
- i mean for article form , maybe another PR for all other forms
i mean for article form , maybe another PR for all other forms
if ok, the server side part is done in this PR + the new article form (frontend)
backend forms need to have the same change in another PR IMHO
brianteeman
- | Category | ⇒ | ACL Tags |
| Rel_Number | 0 | ⇒ | 11154 |
| Relation Type | ⇒ | Pull Request for |
actually thinking it better it this is for all tag field there must be a better way to not allow in all field at the same time.
So please don't test until i check that out.
| Category | ACL Tags | ⇒ | Libraries ACL |
| Title |
|
||||||
| Title |
|
||||||
updated test instructions to be more clear. please test.
no volunteers to test?
I have tested this item
User without ACL "create" on tags component, cannot create new tags in the article form
- form tampering to inject tag directly is (correctly) ignored during save:
<option value="#new#terrest" selected="selected">terrest</option>
User with ACL "create" on tags component, can create tags in the article form
This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/11211.
I have tested this item
This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/11211.
| Status | Pending | ⇒ | Ready to Commit |
RTC based on testing. Thanks
This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/11211.
| Labels |
Added:
?
|
||
wilsonge
- | Status | Ready to Commit | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2016-07-30 13:35:09 |
| Closed_By | ⇒ | wilsonge |
| Labels |
Removed:
?
|
||
Tags core.create
If something is to be patched is to prevent new tag creation, and not tags usage / tags assignment
Then if someone would want to treat core.create privelege the same way that core.create is used to prevent creation of articles inside a category,
To be honest tags feature needs some more work
a much simpler alternative that i would want to suggest is creating 1 more property for tags:
"assign access level" besides the "view access level"
"assign access level" will be used for assigning tags
"view access level" will continue to be used for viewing
The above may seem strange usage of access levels, but would greatly improve calculation of tags allowed to a user to be assigned