[#2676] - plgUserJoomla#onUserLogin:174 wrong authorization check?
- Closed
- 17 Oct 2014
- Medium
- Build: master
- # 2676
I'm quite new to joomla! and during work I've encountered an issue with a component (I didn't write it) that login user programmatically through JApplication#login.
After a lot of debugging, I've found that the failure is caused by plgUserJoomla#onUserLogin, when we check if user is authorized:
$result = $instance->authorise($options['action']);
if (!$result)
Because JUser#authorise use JAccess::check and because this return null if there's no rule specified (as in the default case), the if statament will match.
I think that a more correct behavior would be:
if ($result === false)
As I said, I'm not experienced with Joomla! and doesn't know if this will introduce some security issues, but this will fix my bug.
brianteeman
- | Category | ⇒ | Authentication |
| Category | Authentication | ⇒ | ACL Authentication Plugins |
| Status | New | ⇒ | Information Required |
Closing as here is no activity since 13. Sep 14 and no way to replicate this issue. This can be reopen if we have more information about this.
Thanks @Iazel
This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/2676.
| Status | Information Required | ⇒ | Closed |
| Status | Information Required | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2014-10-17 12:21:06 |
Set to "closed" on behalf of @zero-24 by The JTracker Application at issues.joomla.org/joomla-cms/2676
| Labels |
Added:
?
|
||
JUser::authorise() and JAccess::check() both promise to return a boolean, not a null.
Anyway, false or null is by no means true. I think the logic of the code is to throw an exception if authorise is not true.
Please add a way to replicate this.
This comment was created with the J!Tracker Application at http://issues.joomla.org/.