Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#11418] - [com_banners] User not allowed to core.manage? Use 403 php exception (instead of a 404 JError)

? Success

User tests: Successful: Unsuccessful:

avatar andrepereiradasilva
andrepereiradasilva
3 Aug 2016

Pull Request for Improvement.

Summary of Changes

Replace com_banners exisiting 404 JError for a 403 php exception when the user does not have access to "Access Administration Interface" (core.manage).

Before

image

After

image

Testing Instructions

  1. Use latest staging
  2. Create a user and add it to "Administrator" group
  3. Go to com_banners and set "Access Administration Interface" (core.manage) to "Denied" for "Administrator" group
  4. Login with the Administrator user in a private window and go to /administrator/index.php?option=com_banners
  5. See the red message (Before)
  6. Apply patch
  7. Repeat step 4, you'll see now a 403 error (After).

If this change is ok i can do it for the other components that uses JError here.

avatar joomla-cms-bot joomla-cms-bot - change - 3 Aug 2016
Category Administration Components
avatar andrepereiradasilva andrepereiradasilva - open - 3 Aug 2016
avatar andrepereiradasilva andrepereiradasilva - change - 3 Aug 2016
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 3 Aug 2016
Labels Added: ?
avatar andrepereiradasilva andrepereiradasilva - change - 3 Aug 2016
The description was changed
avatar andrepereiradasilva andrepereiradasilva - edited - 3 Aug 2016
avatar andrepereiradasilva andrepereiradasilva - change - 3 Aug 2016
Title
[com_banners] User not allowed to core.manage? Use 403 php exception (instead of jerror 404)
[com_banners] User not allowed to core.manage? Use 403 php exception (instead of a 404 JError)
avatar andrepereiradasilva andrepereiradasilva - edited - 3 Aug 2016
avatar mbabker
mbabker - comment - 3 Aug 2016

I'd prefer a more specific Exception class but +1 on the idea.

avatar andrepereiradasilva
andrepereiradasilva - comment - 3 Aug 2016

yes i would prefer to, but can you hint on how to add a specific exception like NotAllowedException?

avatar mbabker
mbabker - comment - 3 Aug 2016

Well, if there isn't something in the standard SPL exceptions, just add a custom class like we have in the database API.

avatar andrepereiradasilva
andrepereiradasilva - comment - 3 Aug 2016

hum, doesn't seem to be any http://php.net/manual/en/spl.exceptions.php

avatar tomartailored tomartailored - test_item - 4 Aug 2016 - Tested successfully
avatar tomartailored
tomartailored - comment - 4 Aug 2016

I have tested this item successfully on 0cded66

This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/11418.

avatar 1apweb 1apweb - test_item - 4 Aug 2016 - Tested successfully
avatar 1apweb
1apweb - comment - 4 Aug 2016

I have tested this item successfully on 0cded66

This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/11418.

avatar truptikagathara truptikagathara - test_item - 10 Aug 2016 - Tested successfully
avatar truptikagathara
truptikagathara - comment - 10 Aug 2016

I have tested this item successfully on 0cded66

This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/11418.

avatar jeckodevelopment jeckodevelopment - change - 13 Aug 2016
Status Pending Ready to Commit
avatar jeckodevelopment
jeckodevelopment - comment - 13 Aug 2016

RTC please

This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/11418.

avatar joomla-cms-bot joomla-cms-bot - change - 13 Aug 2016
Labels Added: ?
avatar rdeutz rdeutz - change - 14 Aug 2016
Status Ready to Commit Fixed in Code Base
Closed_Date 0000-00-00 00:00:00 2016-08-14 16:00:56
Closed_By rdeutz
avatar rdeutz rdeutz - close - 14 Aug 2016
avatar rdeutz rdeutz - merge - 14 Aug 2016
avatar joomla-cms-bot joomla-cms-bot - close - 14 Aug 2016
avatar joomla-cms-bot joomla-cms-bot - change - 14 Aug 2016
Labels Removed: ?
avatar rdeutz
rdeutz - comment - 14 Aug 2016

I would like to see a nicer error message, this one looks very technical. I also think to have some custom exceptions would be great. Merging it anyway because this is the way to go

avatar andrepereiradasilva
andrepereiradasilva - comment - 14 Aug 2016

@rdeutz i will change to a custom exception when this #11593 gets merged

avatar jeckodevelopment
jeckodevelopment - comment - 14 Aug 2016

what about:

You are not allowed to access this resource. Please contact your website administrator in order to get access to this resource.

or

You are not allowed to access this resource. Your website administrator can give you access to this resource just changing permissions.

avatar andrepereiradasilva
andrepereiradasilva - comment - 14 Aug 2016

people that is a language change nothing to do with this PR which porpose is to change the error to an exception.
Please make a PR for changing JERROR_ALERTNOAUTHOR if you feel the need.

Add a Comment

Login with GitHub to post a comment