?
avatar uglyeoin
uglyeoin
15 Jun 2020

Steps to reproduce the issue

Create a new user
Create a new user group
create a new access level

go to system and allow the usergroup back end access

login

Expected result

User has a means to logout

Actual result

User does not have access to anything (correctly), which also means they cannot log out

User cannot visit /administrator/index.php?option=com_users&view=login&layout=logout either

System information (as much as possible)

Additional comments

avatar uglyeoin uglyeoin - open - 15 Jun 2020
avatar joomla-cms-bot joomla-cms-bot - labeled - 15 Jun 2020
avatar uglyeoin uglyeoin - change - 15 Jun 2020
The description was changed
avatar uglyeoin uglyeoin - edited - 15 Jun 2020
avatar toivo
toivo - comment - 15 Jun 2020

@uglyeoin that is interesting but surely not an issue in a live site where new usergroups and access levels are usually tested before any real users are added to new usergroups.


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/29628.

avatar uglyeoin
uglyeoin - comment - 16 Jun 2020

I didn't test it, so we can assume someone else could do the same thing. Once I had logged in and realised the error I couldn't log out of my test user, so I couldn't fix the problem by logging back into my Super User. I could have cleared my cookies, but perhaps another user doesn't know that.

Is there ever a time when a logged in user should not be authorised to log out?

What you have said is almost on par with saying, we shouldn't check that an email address has been entered when creating a user, because surely they know to do that. In some cases we shouldn't rely on the users.

avatar brianteeman
brianteeman - comment - 16 Jun 2020

It's a valid bug

avatar toivo
toivo - comment - 16 Jun 2020

@uglyeoin @brianteeman -
Creating users is completely different, of course. In this particular case we should not be relying on users either, but new users should be able to rely on webmasters to have created their usergroup in such a way that it inherits permissions from its parent or is otherwise set up and tested properly beforehand. That is how back end administration has worked in the past.

avatar uglyeoin
uglyeoin - comment - 16 Jun 2020

But how can you test it without logging in as that user? And then once you do you cannot log out to fix whatever error you have made.

avatar toivo
toivo - comment - 16 Jun 2020

@uglyeoin - nothing stops you from using two different browsers.

avatar brianteeman
brianteeman - comment - 16 Jun 2020

That is a work around. Doesn't stop it being a bug that can be fixed

avatar SharkyKZ
SharkyKZ - comment - 17 Jun 2020

Is this about mod_user having Special access level (related #28804)?

avatar brianteeman
brianteeman - comment - 17 Jun 2020

yes it is but I am assuming that @uglyeoin is referring to j3 and that is for j4

avatar uglyeoin
uglyeoin - comment - 17 Jun 2020

Sorry I thought I mentioned it but obviously I didn't this was in J4.

avatar uglyeoin
uglyeoin - comment - 17 Jun 2020

@SharkyKZ yes that looks the same to me. Nice work I'll close this.

avatar uglyeoin uglyeoin - close - 17 Jun 2020
avatar uglyeoin uglyeoin - change - 17 Jun 2020
Status New Closed
Closed_Date 0000-00-00 00:00:00 2020-06-17 11:45:21
Closed_By uglyeoin

Add a Comment

Login with GitHub to post a comment