Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#22466] - Inconsistency of permission required for checkin

No Code Attached Yet J3 Issue
avatar robbiejackson
robbiejackson
2 Oct 2018

Overview

In administrator views such as the Articles view, if a record is checked out by a user then a little padlock symbol is displayed against it. The padlock symbol has a link (to checkin the record) behind it which is enabled if the user has permission to check the record in, or disabled and greyed out if not.

The code in the various core component layout files which determines whether to enable the link is based on if the user is the same as the one who checked out the record, or if the user has core.manage permission on com_checkin.

However the code in FormModel::checkin() which performs the checkin actually checks if the user is the same as the one who checked out the record, or if the user has core.admin permission on com_checkin.

Steps to reproduce the issue

  1. Create a manager user within a user group like the manager user group of the Joomla sample install data. Ensure that the manager usergroup permissions for Checkin (com_checkin) are
    Configure ACL & Options: Not Allowed
    Access Administration Interface: Allowed

  2. With a user other than the manager user, checkout an article (eg by editing it).

  3. Log in elsewhere as the manager user, and display the Articles. A padlock symbol should appear against the checked out record, with a link enabled behind it.

  4. Click on the padlock symbol. Joomla will return with an error
    Check-in failed with the following error: The user checking in does not match the user who checked out the item.

Expected result

The record should be checked in

Actual result

The checkin attempt is rejected with an error message.

System information (as much as possible)

Joomla 3.8

Additional comments

The manager user can checkin the record using the System / Global Check-in feature, because this functionality checks that the user has the core.manage permission for com_checkin (in administrator/components/com_checkin/checkin.php) and doesn't use the FormModel::checkin() code to perform the checkin.

As far as I can determine, the FormModel::checkin() functionality used to work correctly, but was changed to check against core.admin in #25540. I think this change should be reversed.

avatar robbiejackson robbiejackson - open - 2 Oct 2018
avatar joomla-cms-bot joomla-cms-bot - labeled - 2 Oct 2018
avatar brianteeman
brianteeman - comment - 2 Oct 2018

is that link correct?

avatar ggppdk
ggppdk - comment - 2 Oct 2018

Confirmed

avatar infograf768
infograf768 - comment - 3 Oct 2018

The link is correct. It refers to a 2011 patch for 1.7 at the time of svn on joomlacode
c2da0aa

The code concerned is now in
/libraries/src/MVC/Model/FormModel.php
Line 99

I could not find the original issue on JC which would explain that patch.

avatar brianteeman brianteeman - change - 3 Oct 2018
Labels Added: J3 Issue
avatar brianteeman brianteeman - labeled - 3 Oct 2018
avatar franz-wohlkoenig franz-wohlkoenig - change - 4 Mar 2019
Status New Discussion
avatar jwaisner jwaisner - change - 19 Mar 2020
Status Discussion Confirmed
Build master staging
avatar brianteeman
brianteeman - comment - 25 Aug 2022

Thank you for raising this issue.

Joomla 3 is now in security only mode with no further bug fixes or new features.

This was actually fixed some time ago with #30676 but the issue was mistakenly left open.

Please close this as completed

avatar Quy Quy - change - 25 Aug 2022
Status Confirmed Closed
Closed_Date 0000-00-00 00:00:00 2022-08-25 23:41:12
Closed_By Quy
Labels Added: No Code Attached Yet
Removed: ?
avatar Quy Quy - close - 25 Aug 2022

Add a Comment

Login with GitHub to post a comment