[#17674] - UI fix: user with authorization to create in at least a category can access editor view in menuitems for other categories
- Fixed in Code Base
- 22 Jan 2020
- Medium
- Build: staging
- # 17674
- Diff
- LivioCavallo:content.edit.view.security
- Success hound No violations found. Woof! Details
- Success continuous-integration/drone/pr the build was successful Details
- Success continuous-integration/travis-ci/pr The Travis CI build passed Details
- Success continuous-integration/appveyor/pr AppVeyor build succeeded Details
User tests: Successful: Unsuccessful:
Summary of Changes
Perform an additional authorization check at the category level in com_content edit view file: view.html.php .
This blocks an unauthorized user from accessing the editor in some circumstancies when he does not have "Create" permissions for that category.
Testing Instructions
Create a new User Group: "Manage Category ONE" with 'Public' parent group.
In System / Global Configuration set Permission to allow "Manage Category ONE" group to Login into site.
Create new user 'User1' as member of this group.
Create a new article category "ONE" and set permissions so that "Manage Category ONE" group is allowed to "Create".
Create a new article category "TOP SECRET" and check that "Manage Category ONE" group has no permissions to "Create" in it.
Now create a menuitem, "Create Top Secret", to submit a new article; set Options so that default category "TOP SECRET" is default.
Login as "User1" into frontend and "Create Top Secret".
Expected result
User is not authorized, not having rights to "Create" in "Top Secret" category.
Actual result
User is allowed to enter the editor! He can even browse images folder.
Notes
In J!3.4.4 (and I suppose in some later versions) the user was allowed to save the article!
In J!3.7.5 (I suppose starting from some previous versions) when he clicks on "Save" the operation is blocked with error; this mitigates the problem.
Anyway I think that accessing the editor (though the most dangerous functionalities are disabled) is not a "good thing": the user should be blocked as soon as he tries to access a resource he is not authorized to use, not later, when he tries to close (save) that resource.
joomla-cms-bot
- | Category | ⇒ | Front End com_content |
| Status | New | ⇒ | Pending |
| Labels |
Added:
?
|
||
Constrained / Bound category?
| Category | Front End com_content | ⇒ | Administration Language & Strings Front End com_content |
| Labels |
Added:
?
|
||
Constrained is hard to translate.
"Specific category" reads better imho.
This is more an UX fix , that an security fix (e.g. the form display of custom fields of an non-accessible category are revealed),
i say UX because, imagine someone spending 10, 20 minutes to fill in the form and then clicking save, to discover that has no access to save the form, some real frustration
So should I change name to: "UX fix: ..." ?
(Or programmer safety?
Hmm, found a bug, unrelated to this PR.
One can save a Create Article menu item, settting "Default Category" to Yes and NOT filling the "Choose a Category" field.
In frontend, using such a setting forces to save the article created in the category with the smallest Id. catid param is therefore empty.
Therefore I suggest to use
$catid = $this->state->params->get('catid');
if (!empty($catid)
{
$authorised = $user->authorise('core.create', 'com_content.category.' . $catid);
etc.
as I could not find a way to solve that bug.
Oh! Thanks. Fixed.
There is a way to add client-side field validation to params form field in backend?
In this case it would be useful something like 'showon:', let's say 'requireon:'.
It seems there were problems with drone and appveyor, but I don't find a way to restart them. Is it normal?
Or there is really any error?
i think we still need to manage properly the issue referenced by @infograf768, your fix just show Error save not permitted but maybe is better to open a different issue for that
I have tested this item
as per pr testing info
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/17674.
I have tested this item
as per pr testing info
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/17674.
I have made PRs against you patching both places, that 'enable_category' is used
components/com_content/views/form/view.html.php
and
components/com_content/models/form.php
now code will work properly even if user has set 'enable_category' to YES and did not select category
- it will now behave as if 'enable_category' is NO
fixing is #17708 is now not needed
Thanks @ggppdk, I like your idea, I think it's a good workaround. I merged it.
Anyway I think that the "Selected category" should be 'required' if Default category is ON and the user should be blocked on saving or at least receive an alert saying that without selecting a category there won't be any constraints on the category, as if 'enable_category' is OFF, as implemented by your PRs.
I think that issue #17708 is still needed.
@infograf768 : I agree. This PR fixes problems. Thanks all.
A better Long term user experience will be eventually provided by #17708
Why is AppVeyor failing?
I tested it in Jommla! 3.7.4, 3.7.5 and 3.8 beta. This patch works as expected.
Did someone else test it?
| Category | Front End com_content Administration Language & Strings | ⇒ | Administration com_content Front End |
| Category | Front End com_content Administration | ⇒ | Administration Language & Strings Front End com_content |
I have tested this item
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/17674.
| Title |
|
||||||
I have tested this item
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/17674.
| Status | Pending | ⇒ | Ready to Commit |
Status "Ready To Commit".
| Labels |
Added:
?
|
||
@HLeithner What happens with this PR?
Something take longer then other, thanks for this PR
| Status | Ready to Commit | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2020-01-22 21:45:35 |
| Closed_By | ⇒ | HLeithner |
Also i noticed that parameter name is 'Default category'
but parameter description says:
so "Default category" does not sound like best choice
instead of "Default category" a proper parameter name would be