[#12435] - 3.6.3: IMPORTANT! Preventing undesired access to guests/registered
- Closed
- 17 Oct 2016
- Medium
- Build: staging
- # 12435
- Diff
- infograf768:sec_xtd
- Success continuous-integration/drone the build was successful Details
- Success continuous-integration/travis-ci/pr The Travis CI build passed Details
- Pending JTracker/HumanTestResults Human Test Results: 1 Successful 0 Failed. Details
User tests: Successful: Unsuccessful:
Pull Request for Issue #12353 (comment)
Adding back checks to prevent unwanted access to details from non-authors.
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Labels |
Added:
?
|
||
| Category | ⇒ | Front End Components Plugins |
| Labels |
Added:
?
|
||
The check is right, it should just be in components/com_modules/modules.php.
On it
Done. Please test asap and mark results on issues.joomla.org
I have tested this item
The sec issue still exists.
Get the list of modules without login
go to the login screen
see the html code for the token
use this URL: http://example.org/index.php?option=com_modules&view=modules&layout=modal&tmpl=component&editor=jform_articletext&=1
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/12435.
@infograf768 check infograf768#44
It's totally possible to have a group with create permissions without edit, so you're more likely breaking something than fixing it (compared to 3.6.2 which checks core.edit).
The aim of all this was to let authors use these xtds. They do not have edit permissions which prevented them from using the xtds in front-end.
One could indeed have edit permissions without create, but this is very unlikely.
Therefore the main difference with 3.6.2 is that authors now can see the lists, use pagebreak and that the modules modal is access protected.
I have now corrected the PR for typo (module(s) and too much vars.
I propose to go with it and fine grain ACL in 3.7.
I have tested this item
Works here. Just a cosmetic change that the error message should be a error and not a warning. But other things works great!
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/12435.
Warning is what we got before
https://github.com/joomla/joomla-cms/pull/12353/files#diff-35390bcd97e9f612d6fc06ea874aa22aL22
Let's fine tune all this in 3.7 :)
rdeutz
- | Status | Pending | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2016-10-17 12:10:11 |
| Closed_By | ⇒ | rdeutz |
| Labels |
Removed:
?
|
||
The aim of all this was to let authors use these xtds. They do not have edit permissions which prevented them from using the xtds in front-end.
If every site uses the default ACL system then thinking in that structure is valid. Except not every site uses the default ACL structure. Many of the sites I manage have most of the default groups deleted and custom groups added. In general we have to think beyond the ACL groups that are shipped as part of our dataset and look at the actual permissions when we are doing things like this.
can we please add the tag for release blocker to this one?