[#11466] - ACL edit.own does not work for Contacts and Newsfeeds
- Closed
- 7 Aug 2016
- Medium
- Build: master
- # 11466
Not related to recent releases afaik.
For Newsfeeds, it is clear. We do not even take care of created_by in the newsfeeds model getListQuery() method. This should be implemented from scratch.
But for Contacts, I was hoping it would work.
Test instructions:
Create a sub-group of Manager with the following permissions for Contacts:
Access admin interface YES
Create YES
Delete NO
EDIT NO
EDIT STATE YES or NO
EDIT OWN YES
Log in back-end with a user member of that group
In Contacts Manager, create a new contact (You may not have permission to assign it to a user, but this is unrelated).
Save and Close that contact.
The contact is clickable in the Manager (Here the clickable one was created by this user)
Result of click to edit:
NOTE: It works fine for Articles with the same set of permissions. Did not test others.
| Category | ⇒ | ACL Administration Components |
Yes, confirmed, tested and code review, edit not possible despite
the user both having core.edit.own on category and owning the contact record
Looks like we need new permissions in the access.xml and changes in the controller for allowEdit() as it only takes care of category edit.
For newsfeeds, all code is missing. As well for weblinks.
Again in this case, it is not a security issue (it is not because the ACL check on core.edit of category asset forces a return ! if category id is non zero), but a usability issue,
- the owners should be allowed to edit the records, if having core.edit.own, but this is not checked
I can see why this was not added, it is because
- contacts, newsfeed, weblinks do not have individual assets
Thus you need core.edit.own checking that is a little different than e.g. articles
1. Check core.edit.own on their category (instead of the contact, weblink, newsfeed record)
2. Check owner (created_by property==current_user_id) as they do have this property
Should be something like:
$recordId = (int) isset($data[$key]) ? $data[$key] : 0;
// New record (id:0) only in this case fallback to component permissions !!
if (!$recordId)
{
parent::allowEdit($data, $key);
}
// Need to do a lookup from the model.
$record = $this->getModel()->getItem($recordId);
// Not found or empty category
if (!$record || empty($record->catid))
{
return false;
}
$categoryId = $record->catid;
// First test if having core.edit on the record's category
// If individual asset is added in the future then we need to check on the record asset itself)
if ($user->authorise('core.edit', $this->option . '.category.' . $categoryId))
{
return true;
}
// Not having core.edit, test core.edit.own on the category (again because no individual asset)
if ($user->authorise('core.edit.own', $this->option . '.category.' . $categoryId))
{
// If the owner matches 'me' then permission is granted.
return $record->created_by == JFactory::getUser()->id;
}
return false;
brianteeman
- | Labels |
Added:
?
|
||
I did not say it was a security issue. If it had been I would not have posted here.
I discovered these issues while working on the multilingual GSOC project
your code does not work here.
your code does not work here.
yes you are right,
(but i did contribute some time to test the issue and propose code)
someone should take time to make a PR and then answer it, update it, etc etc .... and it will work, (it may need some small corrections)
i can do next days, (since this is not urgent and there are 3 controllers to patch), otherwise someone else can take time to do it now
for newsfeeds, needs more work as even created_by is not fetched...
See the code above
Propably all of the code is same in all controllers:
This gets a model instance to get the owner id
// Need to do a lookup from the model.
$record = $this->getModel()->getItem($recordId);
if (empty($record))
{
return false;
}
$ownerId = $record->created_by;
I am not sure (without testing) but we speak of the
allowEdit() method
of the singular controllers:
components\com_contacts\controllers\contact.php
components\com_newsfeeds\controllers\newsfeed.php
components\com_weblinks\controllers\weblink.php
I think
$record = $this->getModel()->getItem($recordId);
will use models:
components\com_contacts\models\contact.php
components\com_newsfeeds\models\newsfeed.php
components\com_weblinks\models\weblink.php
that already retrieve the created_by property ?
without a correction in the model, we also get errors in the manager
without a correction in the model, we also get errors in the manager
aaa yes you are right we need to get the created_by property to be retrieved by these plural models,
- for usage in "canEdit" calculation inside default.php of the backend lists
i see it is incomplete too only checking core.edit
$canEdit = $user->authorise('core.edit', 'com_newsfeeds.category.' . $item->catid);
should be:
$canEdit = $user->authorise('core.edit', 'com_newsfeeds.category.' . $item->catid) ||
(
$user->authorise('core.edit.edit', 'com_newsfeeds.category.' . $item->catid) &&
$item->created_by==$user->id
);
I suggest, if you can help, to solve the issue first with com_contacts with a specific PR (or first propose a .diff here).
Then it should be easy to go all over newsfeeds and implement it wherever needed.
Ok, this seems straghtforward, I will do today 1 PR for the 3 controllers and the 3 listing templates (i will update plurar models too), i think it will be much more time to test this that to code it)), since what needs to be done was discussed here
weblinks PR joomla-extensions/weblinks#255
cam be closed as there are 3 PR to test: #11502 | #11503 | joomla-extensions/weblinks#255
| Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2016-08-07 05:38:10 |
| Closed_By | ⇒ | infograf768 |
Closed as we have PRs
This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/11466.
@ggppdk
Can you confirm?