Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#21169] - [com_content] Redundant access check

? ? Pending

User tests: Successful: Unsuccessful:

avatar SharkyKZ
SharkyKZ
18 Jul 2018

Pull Request for Issue # .

Summary of Changes

This removes redundant access check from admin Articles model.

Testing Instructions

Code review. See that we already filter by access in the query:

joomla-cms/administrator/components/com_content/models/articles.php

Lines 250 to 256 in 88bcd98

// Filter by access level on categories.
if (!$user->authorise('core.admin'))
{
$groups = implode(',', $user->getAuthorisedViewLevels());
$query->where('a.access IN (' . $groups . ')');
$query->where('c.access IN (' . $groups . ')');
}

Alternatively, you can check that this snippet (placed somehwere in frontend/site, e.g. in Protostar index file) doesn't return unauthorized articles. Where $accessLevel is some access level ID:

JModelLegacy::addIncludePath(JPATH_ADMINISTRATOR . '/components/com_content/models', 'ContentModel');
$model = JModelLegacy::getInstance('Articles', 'ContentModel', array('ignore_request' => true));
$model->setState('params',  JFactory::getApplication()->getParams());
$model->setState('filter.access', $accessLevel);
$articles = $model->getItems();
var_dump($articles);

Documentation Changes Required

No.

avatar SharkyKZ SharkyKZ - open - 18 Jul 2018
avatar SharkyKZ SharkyKZ - change - 18 Jul 2018
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 18 Jul 2018
Category Administration com_content
avatar SharkyKZ SharkyKZ - change - 18 Jul 2018
Labels Added: ?
avatar bene-we bene-we - test_item - 23 Jul 2018 - Tested successfully
avatar bene-we
bene-we - comment - 23 Jul 2018

I have tested this item successfully on 8d3d71e

What I tested:

On administrator site, create a new article with permission Super Users. After that I created a new user and added him to the administration group. I logged in with the newly created user and filtered for Super Users: No articles appear.

@icampus

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/21169.

avatar Tchangue Tchangue - test_item - 24 Jul 2018 - Tested successfully
avatar Tchangue
Tchangue - comment - 24 Jul 2018

I have tested this item successfully on 8d3d71e

I created two articles in the same menu: one with permission public and the other one with permission registered. By navigating on this menu we can only see the article with public access and when a user log in the second articles with permission registered appears.

@icampus

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/21169.

avatar franz-wohlkoenig franz-wohlkoenig - change - 24 Jul 2018
Status Pending Ready to Commit
avatar franz-wohlkoenig
franz-wohlkoenig - comment - 24 Jul 2018

Ready to Commit after two successful tests.

avatar mbabker
mbabker - comment - 25 Jul 2018

Since the extended method now does nothing useful, it can be removed too (no, there are no B/C issues with that).

avatar roland-d
roland-d - comment - 26 Jul 2018

@SharkyKZ Can you update your PR as pointed out by @mbabker ?

avatar SharkyKZ SharkyKZ - change - 26 Jul 2018
Labels Added: ?
avatar SharkyKZ
SharkyKZ - comment - 26 Jul 2018

Updated.

avatar roland-d
roland-d - comment - 26 Jul 2018

@bene-we @Tchangue can you give this another test please?

avatar mbabker mbabker - close - 2 Aug 2018
avatar mbabker mbabker - merge - 2 Aug 2018
avatar mbabker mbabker - change - 2 Aug 2018
Status Ready to Commit Fixed in Code Base
Closed_Date 0000-00-00 00:00:00 2018-08-02 22:30:39
Closed_By mbabker

Add a Comment

Login with GitHub to post a comment