[#13467] - JUser::authorise() can no longer check for soft deny (null) in J3.6.5 (now it is always false)
- Closed
- 4 Jan 2017
- Medium
- Build: staging
- # 13467
Steps to reproduce the issue
Set a user group to have 'core.create' to 'inherit'
in both global configuration and in a component e.g. com_content
and do:
$auth = JFactory::getUser()->authorise('core.create', 'com_content');
var_dump($auth);Expected result
NULL (up to J3.6.4)
Actual result
bool(false)
System information (as much as possible)
J3.6.5
Additional comments
I was using this to avoid checking 'core.create' categories on ALL categories if core.create is "hard denied" on component
Now my code no longer works,
the add button is not displayed (not displayed in case of soft deny at component level),
-- because JUser::authorise() now always returning FALSE in case of soft deny instead of NULL
PS: the way Joomla articles manager now checks for "Add" button, can be improved to be perform better
- in case of hard deny it uselessly calculates 'core.create' on ALL categories, despite not being possible to allow after hard deny
- in case that one category is found it does not stop, it continues to calculate core.create on ALL categories without real need, since Add button is shown even if 1 category is found
The above effect performance of add-button calculation,
on sites with 1000+ or 3000+ categories that use soft deny at component level
- that is why i am not using user->getAuthorisedCategories it does not have option "stop at 1st found category") and now it seems i will duplicate JUser::authorise method too
J3.6.4 code was (in JUser::authorise)
return $this->isRoot ? true : JAccess::check($this->id, $action, $assetname);J3.6.5
return $this->isRoot ? true : (bool) JAccess::check($this->id, $action, $assetname);
joomla-cms-bot
- | Labels |
Added:
?
|
||
| Title |
|
||||||
| Title |
|
||||||
If you need to rely on soft deny versus hard deny, call JAccess::check() directly. As noted it was a purposeful change because the expectation (and documentation) was that a Boolean result would be returned so those implementing strict === false checks were being bitten by the undocumented null return.
Yes i can use JAccess::check(), and i have already patched my software to use it
- because the code of JUser::authorize() also checks, if user is super admin, so i had opted to using it (in version of last 6 months)
Just the 1% - 2% of my sites using this and also having J3.6.5, are now broken and will need to be updated ... to my new software version, so that their "Add" button appears again
About performance, no impact, performance is same
since it is just a check on a component asset (or on current category asset)
If you think that this change should not to reverted, then i can close this issue too
| Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2017-01-04 04:28:39 |
| Closed_By | ⇒ | ggppdk |
Here is a workaround for anyone having the same issue: