Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#24299] - [4.1] Split up com_users permissions into sections

? J4 Issue
avatar SniperSister
SniperSister
22 Mar 2019

Is your feature request related to a problem? Please describe.

Right now, there's just a global "edit" permission for com_users, meaning that if you want to allow someone to edit users, you also have to allow them to edit groups and view levels, which obviously isn't always wanted as a security implication in terms of ACL is associated to that.

Describe the solution you'd like

We should split up the "com_users" ACL right into multiple rights, just like we do in the rest of the CMS:

Tasks:

  • split up com_users into com_users.users, com_users.groups, com_users.viewlevels
  • adjust permission level checks (so far checking for com_users) throughout the system
  • update default permissions to make sure that groups and viewlevels is allowed for Super Admins only
  • figure out a 3.x to 4.x migration path

Additional context

JSST had an internal discussion about this topic, but as the current behavior is "by design" and any change would be a b/c break, we decided to open a ticket in the public tracker instead of handling it in a security release.

Votes

# of Users Experiencing Issue
1/1
Average Importance Score
5.00
avatar SniperSister SniperSister - open - 22 Mar 2019
avatar joomla-cms-bot joomla-cms-bot - change - 22 Mar 2019
Labels Added: ?
avatar joomla-cms-bot joomla-cms-bot - labeled - 22 Mar 2019
avatar franz-wohlkoenig franz-wohlkoenig - change - 22 Mar 2019
Status New Discussion
avatar franz-wohlkoenig franz-wohlkoenig - change - 22 Mar 2019
Category ACL com_users
avatar franz-wohlkoenig franz-wohlkoenig - change - 4 Apr 2019
Labels Added: J4 Issue
avatar franz-wohlkoenig franz-wohlkoenig - labeled - 4 Apr 2019
avatar brianteeman
brianteeman - comment - 16 Sep 2019

Is this something you will be contributing?

avatar brianteeman
brianteeman - comment - 13 Dec 2019

or should this be closed?

avatar brianteeman
brianteeman - comment - 3 Feb 2020

@SniperSister any update?

avatar SniperSister
SniperSister - comment - 5 Feb 2020

Drowning in work so didn't had time to tackle that issue, but it's definitely on my todo list

avatar jwaisner jwaisner - change - 24 Mar 2020
Status Discussion New
Build master 4.0-dev
avatar jwaisner jwaisner - change - 24 Mar 2020
Category ACL com_users ACL com_users Feature Request
avatar alexandreelise
alexandreelise - comment - 2 Aug 2020

Nice feature to add. @SniperSister

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/24299.

avatar brianteeman
brianteeman - comment - 23 Dec 2020

Thsi should probably be retagged for 4.1

avatar Quy Quy - change - 23 Dec 2020
Labels Added: ?
avatar Quy Quy - labeled - 23 Dec 2020
avatar Quy Quy - change - 23 Dec 2020
Labels Removed: J4 Issue
avatar Quy Quy - unlabeled - 23 Dec 2020
avatar jwaisner jwaisner - change - 24 Aug 2021
Title
[4.0] Split up com_users permissions into sections
[4.1] Split up com_users permissions into sections
avatar joomla-cms-bot joomla-cms-bot - edited - 24 Aug 2021
avatar joomla-cms-bot joomla-cms-bot - change - 24 Aug 2021
Labels Removed: ? ?
avatar joomla-cms-bot joomla-cms-bot - change - 24 Aug 2021
Labels Removed: ? ?
avatar joomla-cms-bot joomla-cms-bot - unlabeled - 24 Aug 2021
avatar joomla-cms-bot joomla-cms-bot - unlabeled - 24 Aug 2021
avatar jwaisner
jwaisner - comment - 24 Aug 2021

Updated to retag (without a label at the moment) to revisit for 4.1

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/24299.

avatar brianteeman
brianteeman - comment - 23 Aug 2022

please add the new feature and j4 issue label

avatar zero-24 zero-24 - change - 23 Aug 2022
Labels Added: ? J4 Issue
avatar zero-24 zero-24 - labeled - 23 Aug 2022
avatar zero-24 zero-24 - labeled - 23 Aug 2022

Add a Comment

Login with GitHub to post a comment