[#11290] - Prevent misuse of show_noauth param when fulltext is empty
- Fixed in Code Base
- 8 Feb 2017
- Medium
- Build: staging
- # 11290
- Diff
- ggppdk:patch-15
- Success continuous-integration/travis-ci/pr The Travis CI build passed Details
- Success JTracker/HumanTestResults Human Test Results: 2 Successful 0 Failed. Details
User tests: Successful: Unsuccessful:
Pull Request for Issue #11285
Summary of Changes
Natural place to fix this is at the view.html.php that has a similar but incomplete check
Testing Instructions
STEP 1: Verify bug
- Enable "Show unauthorized links" (e.g. globally for articles component)
- Set an article to non-public access e.g. 'Registered', and make sure that the article does not have read-more
- Visit the article view as GUEST and confirm that the all article text is showing
STEP 2: Test fix: Redirect guests to login
4. Apply the patch and visit the article view again, you should redirected to login
5. Login as a "registered" user
6. Visit article, you should be able to view the article
STEP 3: Test fix: If logged user still did not gain access after login then a no access message work for logged users too
7. Edit article and set access to special
8. Visit article as "plain" registered users, you should get a 403 error
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Front End Components |
| Labels |
Added:
?
|
||
| Category | Front End Components | ⇒ | ACL Components Front End |
| Rel_Number | 0 | ⇒ | 11285 |
| Relation Type | ⇒ | Pull Request for |
ok for single article URL, but not for category blog view
I have corrected code styling issues,
About :
ok for single article URL, but not for category blog view
that can be a different PR ?
(1) Issue verified.
(2) After applying patch, visiting article redirects to login page with redirect back link to article.
(3) Shows 403 error when accessing article by "registered" user when article have only "special" access allowed. This is when I visit single article menu item but visiting article by clicking from "Latest Articles" it only shows "Log Out" button instead of 403 error. See screen-shot:
(4) Article still visible from category blog layout. Another case is when we visit any public article without login and we click on category name from this article breadcrumb, all articles gets visible though one allowed to registered user only.
This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/11290.
(3) Shows 403 error when accessing article by "registered" user when article have only "special" access allowed. This is when I visit single article menu item
The 403 is the desired thing since there is no fulltext, so we are good here
(3) ... but visiting article by clicking from "Latest Articles" it only shows "Log Out" button instead of 403 error.
going to login screen should only happen if user is guest (i need to check this !), i am using:
if ($this->user->get('guest'))
(4) Article still visible from category blog layout
of course it is shown
- you have show non-authorized ON,
- and it should show in all listings too
the purpose is to limit information displayed of it and do not display fulltext anywhere
Question so does the blog layout show fulltext ?
if it does it is another bug / issue that needs to be fixed
@ggppdk Yes, showing full text of article in category layouts.
This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/11290.
@ggppdk Yes, showing full text of article in category layouts.
hhmm i think i can update this PR for this case too,
still it works correctly, if you have introtext (as you are supposed to do)
Also someone needs to update language string of the parameter:
It has none info about the fact that articles need to have an intro text
This PR should be still be a valid fix, but it fixes only article view
it does not fix similar case in category view (have not updated this PR to include category view)
I have tested this item
1. Bug verified: Article without Read more and Access Registered all Article Text is shown in Article View.
2. Applied Patch got redirected to login. Logged in as registered User Article shows full Text.
3. After Article-Access set to Special and logged in as registered User got Error: You are not authorised to view this resource.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/11290.
tested successfully, however the Messages differ from each other:
One time it´s a message and one time it´s an Error.
I think at the login redirect it should be a message like "You have to login to have access to the ressource"
I have tested this item
See my comments to the test
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/11290.
| Milestone |
Added: |
||
| Status | Pending | ⇒ | Ready to Commit |
| Milestone |
Removed: |
||
| Status | Ready to Commit | ⇒ | Pending |
| Category | Front End Components ACL | ⇒ | Front End com_content Components ACL |
| Status | Pending | ⇒ | Ready to Commit |
RTC
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/11290.
rdeutz
- | Status | Ready to Commit | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2017-02-08 14:03:08 |
| Closed_By | ⇒ | rdeutz | |
| Labels |
Added:
?
|
||
Can you take a look at the codestyle issues please