[#17838] - Fix allowEdit check for module
- Fixed in Code Base
- 3 Sep 2017
- Medium
- Build: staging
- # 17838
- Diff
- sanderpotjer:pr/menu-module-acl
User tests: Successful: Unsuccessful:
Pull Request for Issue #17188
Summary of Changes
Fixing the allowEdit in the module controller. Currently using the component permissions as a fallback, even while a ID is set to edit. Due to this, editing a module is allowed when the edit permission is denied for the module specifically but allowed for com_modules.
The controller only should use the component permissions if the module ID is not set.
Testing Instructions
- Create a new user group
Module Test - Assign this user group to access level
Special - Allow the backend login action for the
Module Testuser group in the Global Configuration permissions - Allow
Access Administration InterfaceandEditaction for both Menu & Module component permissions for theModule Testuser group. - Open the module that displays one of your menu's, eg the
Main Menu. SetEditaction permission to denied for theModule Testuser group - Create a test user, assign to
Module Testuser group - Login with test user
- Go to Menus -> Manage, and click on the module title under the
Linked Modulescolumn of the menu module you just denied action for
Actual result
A modal shows up, containing the module you can edit. Check under the module manager that you can't edit the module over there.
Expected result
Apply the patch, now the module shows up, but with a list of modules and the error message Edit not permitted.
joomla-cms-bot
- | Category | ⇒ | Administration com_modules |
| Status | New | ⇒ | Pending |
@brianteeman I fully agree. But disabling the link to the module is not a real fix for the ACL issue in theallowEdit of the Module controller that could also happen in other places where the module is loaded in a modal. So I thought it would be better to have a separately PR for disabling the modules that you can't edit (won't hide it, as at the moment we tend to disable links rather than hiding them). That PR is coming
I have tested this item
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/17838.
@brianteeman thanks for testing, created a new PR for disabling the linked module: #17845
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/17838.
I have tested this item
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/17838.
| Status | Pending | ⇒ | Ready to Commit |
RTC after two successful tests.
I have tested this item
I was going to test sooner but it was too late last night, i have done code review on this it is correct
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/17838.
mbabker
- | Status | Ready to Commit | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2017-09-03 16:34:07 |
| Closed_By | ⇒ | mbabker | |
| Labels |
Added:
?
|
||
@sanderpotjer thank you for the detailed test instructions. With them I was able to replicate the issue and test your PR.
Instead of
would it be possible to just disable/remove the link to the module - i think that would be a cleaner experience?