[#13654] - Incoherent applied permissions in "Create Article" menu item, Edit state not applied
- Closed
- 9 Feb 2017
- Medium
- Build: 3.7 alpha 2
- # 13654
Steps to reproduce the issue
-
Create an article category "User Articles", save and in permissions tab, set permissions for registered users Create: allowed, Edit state: allowed.
-
Add menu item "User Articles" to main menu, type: Category Blog, select category "User Articles"
new menu "Create Article". -
Create a new menu "Create Article Menu" for the frontend.
-
Add a menu item "Create Article" to the menu "Create Article Menu", set the access to Registred, under options tab Default Category: Yes, Choose Category "User Articles".
-
Add a module for the "Create Article Menu", Select Menu: "Create Article Menu", Base Item: "User Articles", Postion: the same than main menu, Access: Registered, Menu Assignment: only on page "User Articles" of main menu.
-
Create a new user and assign him to the registered group.
-
With the new user, login to the frontend.
-
Click on "User Articles" menu item and then on "Create Article".
Expected result
The user should be able to create a new article and in the publishing tab, set the status as published or unpublished.
Actual result
The user can create a new article, but it will be unpublished. There are no settings to publish or unpublish it.
To have the publish/unpublish settings, the permission "Edit State" must be allowed for registered users in the global article options.
This behavior of the permissions in the "Create Article" menu item is not coherent.
The create permission from the "User Articles" article category has an effect. Disabling it removes the access to the edit article form.
But the permission "Edit State" of the article category has no effect. It must be inherited from the global article permissions to get the expected behavior.
System information
Ubuntu 16.04, mysql Ver 14.14 Distrib 5.7.17 for Linux (i686), PHP 7.0.13-0ubuntu0.16.04.1, Joomla 3.7 alpha 2
joomla-cms-bot
- 
The article category permission "Edit state" is not applied in this case. In my opinion, that is not a correct behavior.
The global permissions "Create" and "Edit state" work as expected.
The article category permission "Create" is applied,
but the article category permission "Edit state" is ignored.
So, why is the category permission "Create" applied, but "Edit state" is not and must be inherited from global permissions? Inheriting from global permissions might grant too many permissions to other article categories.
Sounds like a bug to me. It should be inherited the same way from the category as the "Create" one.
It is indeed a bug. At the moment, for new article, we only get edit state permission from com_content component and ignore the category permission, see https://github.com/joomla/joomla-cms/blob/staging/administrator/components/com_content/models/article.php#L367
Usually, that line would automatically also check the category permissions (as well as the component one) as part of the article one. That's implemented in the ACL already.
But in case of a new article, we do some kind of hack here to check for the category create permissions. There is no ACL inheritance set up yet since the article isn't saved yet.
As soon as it is saved, you can go edit it and change the state (I guess, haven't tested) as then the ACL "tree" is built and works.
So the state would need some special handling in case of a new article here as well. But this may be tricky to do.
Usually, that line would automatically also check the category permissions (as well as the component one) as part of the article one. That's implemented in the ACL already.
I don't think that code checks permission automatically as you said. It would work as you said if that code is somehow replaced with (need to
if (!$this->canEditState($item))(of course we need to get $item object first).
I don't think that code checks permission automatically as you said.
If the article is stored correctly, $user->authorise('core.edit.state', 'com_content.article.1') will check first the article asset. If there is no specific permission set (the action inherits) then it checks the parent one (the assigned category). If that has no specific permissions set as well, it will again check the parent one (com_content component settings) and if that has it set to inherit as well, it will check again the parent one which in that case is the root one (global Joomla configuration).
That's how our ACL works
I understand how ACL works, I only said that the line of code https://github.com/joomla/joomla-cms/blob/staging/administrator/components/com_content/models/article.php#L367 doesn't work as you said (the line of code I mentioned applied for the case new article)
I also see something which doesn't look correct to me, will try to prepare a PR and show it to you :)
Ah, misunderstood you.
I think it should work when it checks for the category in case of a new article and preselected category.
I think the tricky part is what happens when the category is changed to another one where the user wouldn't be allowed to change the state.
Closing this issue as there is a PR
| Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2017-02-09 18:46:59 |
| Closed_By | ⇒ | Bakual |
I followed the Steps to reproduce Issue and got also no status field
Publish, ...I don't get the Issue: How should which ACL-Setting work?