I don't think this can be fixed. When you use the system URIs like that
they aren't aware of any menu items possibly associated with that URI
(unless we're parsing it and trying to match to a menu item perhaps).
Since that config is on a menu item and not the actual content item being
displayed, if the menu item isn't used, its config can't be applied.

On Wed, May 31, 2017 at 2:01 PM tompms notifications@github.com wrote:

Steps to reproduce the issue

Restrict access works only for menu alias, not for system links. e.g. if I
create menu position for component VirtueMart (alias: /shop) or OsMap
(/sitemap) and I will set access only to register users it will take
effects only to links: www.mysite.com/shop and www.mysite.com/sitemap
However if I use links: www.mysite.com/component/virtuemart or
www.mysite.com/component/osmap/?view=html&id=1 I will see the content as
a guest even if in joomla configuration for virtuemart component or osmap
component all ACL positions for guest or public are set to Denied (not
allowed)
Expected result

All links mentioned above should display request for login if I'm guest
user.
Actual result

System links such as:

www.mysite.com/component/virtuemart or
www.mysite.com/component/osmap/?view=html&id=1
give ma as a guest access to view the content
System information (as much as possible)

Joomla 3.7.2 but the problem occurs also in previous versions e.g. 2.5.28.
PHP 5.4.37-1~dotdeb.0, Linux www5 2.6.26-1-xen-amd64
virtuemart component v. 3.2.2, osmap v. 4.2.11
Additional comments

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
#16384, or mute the thread
https://github.com/notifications/unsubscribe-auth/AAWfod3OF6nb1zCWnoPsVt_--2mxz-gPks5r_VavgaJpZM4NrjJE
.

--

• Michael Please pardon any errors, this message was sent from my iPhone.

I don't think this can be fixed.

correct,

and also i will add it should not be "fixed" at all
because i argue this can not be considered to be a bug !

Viewing of component pages is done by the access levels, assigned to the component pages / content

and tasks like create / edit / delete / publish / other
are controlled by component's ACL (and some times by access levels too)

and not by some view limitation, that a menu item pointing to one of the pages has

• menu item view limitations apply only when that menu item is used

Why would any such limitation be applied when menu item is not used ?

• you could have 10 menu items with 10 different view levels pointing to the same page

so it is not a bug,
it works properly, and argueably this exact behaviour should not be changed !

there is already ways to limit access to pages and to tasks that can be used, that is to use the configuration inside the component itself

And i will add here,
if some component does not have such functionality, then that component should implement / add it

As the above comments mention it's correct since you are accessing the component directly.

You need to configure the components permissions to be registered if you want to prevent the above.

Alternative the component developers could look for a menu item if one is not found but that's up to the component developers.

This is not a BUG.

I am closing this for the reasons stated above