Login to Joomla 4 admin as someone who can send private messages.
Easier to replicate as a super admin, but for bonus points login as a manager after allowing the manager level full access to private messaging but not users - this will result in them NOT getting a User Selector modal eg: #29548
Edit the HTML of the page to fake a user id to send to, for giggles choose a registered level user id (999 used in this example)
If using the manager level with no com_users access you need to inject this field into the DOM.
<input type="hidden" id="jform_user_id_to_id" name="jform[user_id_to]" value="999" class="field-user-input required" data-onchange="" required="">
for both manager and super admin, you also need to change the value of the custom element
from
<input type="text" id="jform_user_id_to" class="form-control field-user-input-name required form-control-danger invalid" value="" required="" readonly="" aria-invalid="true">
to
<input type="text" id="jform_user_id_to" class="form-control field-user-input-name required form-control-danger" value="999" required="" readonly="" aria-invalid="true">
compose a message and click Send
Joomla doesn't send a message to a user that otherwise cannot be selected from a list of users in the modal, that list consisting of people that have ACL access to com_messages
Joomla stores a message in the database, and alerts by email the registered user with id 999 that they have a new private message, that they now cannot access as they have no ACL for com_messages.
The only people that should be able to RECEIVE private messages should be those with permission to the com_messages, therefore Joomla should reject any other provided user id
Joomla DOES validate that the user with id 999 exists, but it doesn't check if they have permission to use private messaging
Probably a small Security issue... but it requires a super admin logged in, or a manager logged in with specific com_messages allowed ACL Im posting here. //@SniperSister
Labels |
Added:
?
|
Status | New | ⇒ | Closed |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2020-06-10 12:22:32 |
Closed_By | ⇒ | SharkyKZ |
Just hiding the new button is not going to stop a faked request being made. There needs to be valid ACL checking also on sending.