[#11608] - Not allowed to core.manage? Use 403 exception (for remaning components)
- Fixed in Code Base
- 15 Aug 2016
- Medium
- Build: staging
- # 11608
- Diff
- andrepereiradasilva:403-exceptions
- Success continuous-integration/travis-ci/pr The Travis CI build passed Details
- Pending JTracker/HumanTestResults Human Test Results: 1 Successful 0 Failed. Details
User tests: Successful: Unsuccessful:
Pull Request for Improvement.
Summary of Changes
This PR is the sequence of #11593.
Replace all remaining administrator components existing 404 JError for a 403 php exception (JAccessExceptionNotallowed) when the user does not have access to "Access Administration Interface" (core.manage).
Before
After
Testing Instructions
- Use latest staging
- Apply patch
- Create a user and add it to "Manager" group
- Go to to all components and set "Access Administration Interface" (core.manage) to "Denied" for "Manager" group in all remaning components (com_content, com_banners, com_contact, com_media, com_newsfeeds, com_search and com_finder)
- Try to access the following URL, you should see 403 errors now:
/administrator/index.php?option=com_banners
/administrator/index.php?option=com_cache
/administrator/index.php?option=com_categories
/administrator/index.php?option=com_categories&extention=com_content
/administrator/index.php?option=com_checkin
/administrator/index.php?option=com_contact
/administrator/index.php?option=com_content
/administrator/index.php?option=com_contenthistory&view=history (this one will give a layout not definied error)
/administrator/index.php?option=com_finder
/administrator/index.php?option=com_installer
/administrator/index.php?option=com_joomlaupdate
/administrator/index.php?option=com_languages
/administrator/index.php?option=com_media
/administrator/index.php?option=com_menus
/administrator/index.php?option=com_messages
/administrator/index.php?option=com_modules
/administrator/index.php?option=com_newsfeeds
/administrator/index.php?option=com_plugins
/administrator/index.php?option=com_redirect
/administrator/index.php?option=com_search
/administrator/index.php?option=com_tags
/administrator/index.php?option=com_templates
/administrator/index.php?option=com_users
- Code review.
Note the other admin components (com_admin, com_ajax, com_cpanel, com_postinstall) doesn't use this or already use exceptions.
Didn't touch com_config. This one needs another PR.
Documentation Changes Required
None.
joomla-cms-bot
- | Category | ⇒ | Administration Components Media Manager Tags |
| Status | New | ⇒ | Pending |
| Labels |
Added:
?
|
||
ok. i understand, so what do you recomend then?
Add a new JAccessExceptionNotallowed exception?
I think so - and thinking about it maybe extend the controller exception from that?
| Category | Administration Components Media Manager Tags | ⇒ | Administration Components Media Manager Tags Libraries |
ok done.
Removed the JControllerExceptionNotAllowed since it doesn't make sense now (it was added yesterday so no B/C break)
I have tested this item
This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/11608.
Works as expected.
| Status | Pending | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2016-08-15 22:42:25 |
| Closed_By | ⇒ | wilsonge |
OK so I'm going to be super nasty about this. I think this needs a different exception class - this is not an exception thrown in the controller therefore in my opinion
JControllerExceptionNotallowedis the wrong exception to be used here