[#29596] - [4.0] No user information if the user hast not the right to manage users
- Fixed in Code Base
- 15 Jun 2020
- Medium
- Build: 4.0-dev
- # 29596
- Diff
- chmst:module-stats-users
- Pending Hound Hound is busy sniffing around... Details
User tests: Successful: Unsuccessful:
Pull Request for Issue #29589 .
Summary of Changes
In general, the site information has view level "super users". So in geeral, module "site information" is not shown for users of other groups.
But this view level can be changed to public or special.
If a user hast not permission to manage users, he should not see the users information.
Testing Instructions
Make sure that the admin module "site information" has view level "manage" or lower.
Login as a user in a group without the right to manage users.
You may not see the users information.
Expected result
Remark
Users and articles information are shown in many places.
I think this information could be removed from site information as well.
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Modules Administration |
| Title |
|
||||||
If a user hast not permission to manage users, he should not see the users information.
I do not agree with this assumption
I think it is perfectly valid that the site information module displays the count of users. It is only the link that needs to be removed
Changing it to core.manage at line 108 per @Quy suggestion resolved the issue I had with the PR test.
if ($users && $user->authorise('core.manage', 'com_users'))
@brianteeman I'm split on whether the non-user managers should be able to see the number of users.
Further to @brianteeman comment, changing 108-114 to the following would disable the link, but still display the number of users. It just doesn't format the number as it's no longer a link.
if ($users)
{
$rows[$i] = new \stdClass;
$rows[$i]->title = Text::_('MOD_STATS_USERS');
$rows[$i]->icon = 'users';
$rows[$i]->data = $users;
if ($user->authorise('core.manage', 'com_users'))
{
$rows[$i]->link = Route::_('index.php?option=com_users');
}
$i++;
}
| Labels |
Added:
?
|
||
Thank you for testing and your opinion. I have fixed and changed as you prefer to remove only the link.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/29596.
Thank you for testing and your opinion. I have fixed and changed as you prefer to remove only the link.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/29596.
I have tested this item
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/29596.
I have tested this item
Revised version tested as expected.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/29596.
Last 3 commits after @particthistle 's test have just been code style, so his test result is still valid. I'll add it back in the issue tracker so it is correctly counted.
@Quy After your test there have been changes which were not code style only. Could you test again? Thanks in advance.
I have tested this item
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/29596.
| Status | Pending | ⇒ | Ready to Commit |
RTC
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/29596.
| Status | Ready to Commit | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2020-06-15 21:40:35 |
| Closed_By | ⇒ | wilsonge | |
| Labels |
Added:
?
|
||
Thanks!
I have tested this item? unsuccessfully on 269d0b7
Partially tested successfully.
Manager level user Success
Administrator level user Issue Discovered
Line 108 looks to be overzealous:
if ($users && $user->authorise('core.PR an', 'com_users'))Still working out Joomla function code... what's the 'core.PR an' permission do?
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/29596.