[#16997] - ACL not working on modules after upgrading when $root_user variable is used in configuration.php
- Closed
- 7 Jul 2017
- Medium
- Build: staging
- # 16997
Steps to reproduce the issue
- Install Joomla 3.7.3.
- Add variable $root_user to configuration.php with a username of your site.
- Publish a module with non public permissions.
Expected result
The module will be not visible by public users or guest.
Actual result
The module is shown to public users or guest.
System information
Joomla 3.7.3
PHP 5.6 or 7
Additional comments
It seems that the error is in libraries/joomla/access/access.php line 1074:
if ($root_user && ($root_user == $user->username || $root_user == $user->id))
I think we are trying to check $root_user against a string and an int
| Labels |
Added:
?
|
||
Root user is only intended to be used in order to reset super user access. It should NEVER be left enabled after super user access has been regained.
| Category | ⇒ | ACL com_users |
| Status | New | ⇒ | Discussion |
I agree, it should never be left enabled but, during the process, private content shouldn't be public.
I am faced with the same issue, is there any solution?
There is a string with int comparison in the code
"somename" == 0
will return true,
because "somename" typecasted to integer is 0 , thus you get
0 == 0
I have made a PR
| Status | Discussion | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2017-07-07 05:11:49 |
| Closed_By | ⇒ | franz-wohlkoenig |
| Closed_By | franz-wohlkoenig | ⇒ | joomla-cms-bot |
Set to "closed" on behalf of @franz-wohlkoenig by The JTracker Application at issues.joomla.org/joomla-cms/16997
closed as having PR #17011
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/16997.
@izharaazmi Plese look on this as you wrote this chenge.