[#25169] - Don't show Joomla! Update quickicon to unauthorised users
- Closed
- 5 Dec 2019
- Medium
- Build: staging
- # 25169
- Diff
- SharkyKZ:j3/plgQuickiconJoomlaupdate
- Pending Hound Hound is busy sniffing around... Details
User tests: Successful: Unsuccessful:
Pull Request for Issue # .
Summary of Changes
Checks if user is authorised to access com_joomlaupdate.
Testing Instructions
Create a user group with backend access. Configure permissions:
Set Installer - Access Administration Interface (com_installer.core.manage) permissions to Allow.
Set Joomla! Update - Configure ACL & Options (com_joomlaupdate.core.admin) permissions to Deny.
Create a user in this group, login with this user.
In control panel, click on Joomla! update quick icon.
Expected result
Either the icon is not shown or no errors when viewing com_joomlaupdate.
Actual result
An error has occurred.
403 You are not authorised to view this resource.
Documentation Changes Required
IDK.
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Front End Plugins |
@SharkyKZ whats the Status of this Pull Request? Will you take the Suggestion by @brianteeman?
| Labels |
Added:
?
|
||
Not in 3.x.
This PR can be tested?
Yes, I think so.
I have tested this item
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/25169.
I have tested this item
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/25169.
| Status | Pending | ⇒ | Ready to Commit |
Status "Ready To Commit".
This is really a bad idea as I stated before
I don't like the change it would be better to remove the link and only show that a new version is available if you can't update as the current user.
If you like to disable the quick icon the admin can change the access level of the plugin.
@HLeithner disabling the link will just frustrate the user - there needs to be a message. The current code behaviour is correct its just the message that should be changed #25169 (comment)
The user doesn't know that there would be a link normally. Giving him a message saying you can't update brings him not more information as he already has but if you find that better you can add a PR.
As long as it doesn't end in an error message it's ok for me.
The user doesn't know that there would be a link normally.
Of course they do - all the other quickicons are links
I have tested this item
Icon not visible
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/25169.
| Labels |
Added:
?
|
||
Thanks for this pr but I will not merge it, I would like to see no link or a proper error message. But only showing it to admin can be achieved by setting a proper access level to the plugin.
| Status | Ready to Commit | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2019-12-05 22:31:21 |
| Closed_By | ⇒ | HLeithner |
It's showing only to super admin because that's what com_joomlaupdate requires. This PR makes perceived behavior consistent with extension update check plugin.
The check does two things
- It tells you that the site needs to be updated
- It has a link to perform the update
As stated before simply hiding the icon is not a solution. The solution is to display something than other than a 403
That's the reason I closed it, it would be better to bring a popup/alert window/what ever to tell the user he/she has to inform a super user.
My 2c is that we absolutely should show the icon and if there are updates available but it does need something better than the 403 if they are not authorised. Perhaps some sort of message "Please contact the site administrator to update"