Create a new user
Create a new user group
create a new access level
go to system and allow the usergroup back end access
login
User has a means to logout
User does not have access to anything (correctly), which also means they cannot log out
User cannot visit /administrator/index.php?option=com_users&view=login&layout=logout either
I didn't test it, so we can assume someone else could do the same thing. Once I had logged in and realised the error I couldn't log out of my test user, so I couldn't fix the problem by logging back into my Super User. I could have cleared my cookies, but perhaps another user doesn't know that.
Is there ever a time when a logged in user should not be authorised to log out?
What you have said is almost on par with saying, we shouldn't check that an email address has been entered when creating a user, because surely they know to do that. In some cases we shouldn't rely on the users.
It's a valid bug
@uglyeoin @brianteeman -
Creating users is completely different, of course. In this particular case we should not be relying on users either, but new users should be able to rely on webmasters to have created their usergroup in such a way that it inherits permissions from its parent or is otherwise set up and tested properly beforehand. That is how back end administration has worked in the past.
But how can you test it without logging in as that user? And then once you do you cannot log out to fix whatever error you have made.
That is a work around. Doesn't stop it being a bug that can be fixed
Sorry I thought I mentioned it but obviously I didn't this was in J4.
Status | New | ⇒ | Closed |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2020-06-17 11:45:21 |
Closed_By | ⇒ | uglyeoin |
@uglyeoin that is interesting but surely not an issue in a live site where new usergroups and access levels are usually tested before any real users are added to new usergroups.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/29628.