Joomla! Issue Tracker | Joomla! CMS #12338 - "page break" button in frontend can't be used by an "Author"

Closed
9 Oct 2016
Medium
Build: master
# 12338

AlexRed
7 Oct 2016

Steps to reproduce the issue

Use "page break" button in frontend with an "Author" user

Expected result

"Author" user can insert a Page Break

Actual result

Warning
You are not authorised to view this resource.

System information (as much as possible)

In Joomla 3.6.2 and also in Joomla 3.6.3Rc2

AlexRed - open - 7 Oct 2016

zero-24 - change - 7 Oct 2016

The description was changed

zero-24 - edited - 7 Oct 2016

infograf768 - comment - 7 Oct 2016

Looks like the permissions are only set to edit and not create.

if ($input->get('view') === 'article' && $input->get('layout') === 'pagebreak')
{
    if (!$user->authorise('core.edit', 'com_content'))
    {
        JFactory::getApplication()->enqueueMessage(JText::_('JERROR_ALERTNOAUTHOR'), 'warning');

        return;
    }
}

That should be easy to correct

AlexRed - comment - 7 Oct 2016

the problem is also for "Article" button in the editor

infograf768 - comment - 7 Oct 2016

yes

elseif ($input->get('view') === 'articles' && $input->get('layout') === 'modal')
{
    if (!$user->authorise('core.edit', 'com_content'))
    {
        JFactory::getApplication()->enqueueMessage(JText::_('JERROR_ALERTNOAUTHOR'), 'warning');

        return;
    }
}

in the same file
ROOT/components/com_content/content.php

infograf768 - comment - 7 Oct 2016

You do PR or I do?

infograf768 - comment - 7 Oct 2016

hmm, wondering now if that was on purpose...
Did it work OK before 3.6.2?

infograf768 - comment - 7 Oct 2016

This code was added in 3.4.5
dca641f#diff-35390bcd97e9f612d6fc06ea874aa22a

infograf768 - comment - 7 Oct 2016

@wilsonge
As you did that commit, could you give us some infos?

andrepereiradasilva - comment - 7 Oct 2016

I think it should be like this:

allowed to core.edit and item id different than 0: Allowed
allowed to core.edit.own, item created by user and item id different than 0: Allowed
allowed to core.create and item id equal to 0: Allowed
else: Not allowed

and IMHO this should be applied to all components with modals.

But it's better for @wilsonge to confirm there is no problem with that.

Also the warning should IMHO be a 403 exception

throw new JAccessExceptionNotallowed(JText::_('JERROR_ALERTNOAUTHOR'), 403);

infograf768 - comment - 7 Oct 2016

For your info, that code was added for security reasons at the time.
One of the issues with letting people display the modals with Create or Edit own only is that they will be able to see in the modals titles of stuff they may not be allowed to see (access restricted): Articles, menu items, contacts.
For pagebreak, indeed, no use imho to restrict to edit.

ggppdk - comment - 7 Oct 2016

For pagebreak, indeed, no use imho to restrict to edit.

Yes, and this is issue is a kind of duplicate,

There is already a discussion here: #10653

Please see my comment: #10653 (comment)

infograf768 - comment - 8 Oct 2016

Please see also
#12321 (comment)

infograf768 - comment - 8 Oct 2016

See PR here
#12353

brianteeman - comment - 9 Oct 2016

Closed as we have a PR - thanks

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/12338.}

brianteeman - change - 9 Oct 2016

Status	New	⇒	Closed
Closed_Date	0000-00-00 00:00:00	⇒	2016-10-09 09:24:33
Closed_By		⇒	brianteeman

brianteeman - close - 9 Oct 2016

Add a Comment

Older
Newer

Joomla! Issue Tracker - CMS

[#12338] - "page break" button in frontend can't be used by an "Author"

Steps to reproduce the issue

Expected result

Actual result

System information (as much as possible)

Add a Comment