No Code Attached Yet
avatar Harmageddon
Harmageddon
13 Sep 2020

Steps to reproduce the issue

  1. Create a user in the "Administrator" (not Super User!) group.
  2. Enable frontend module editing and allow frontend module editing for the "Administrator" group.
  3. Log in to the Administrator account in frontend.
  4. Try to edit a module in frontend.

Expected result

The module edit screen should be shown.

Actual result

Error 403: You don't have permission to access this.

System information (as much as possible)

PHP 7.2
Tested with 4.0-beta3 and current 4.0-dev (a1990ff).

Additional comments

Reported by user LukasHH at https://forum.joomla.de/thread/12433-j4-beta-3-frontend-bearbeitung-module-führt-zu-403-fehler/. Confirmed by @ChristineWk and myself.

Not sure when this bug was introduced, but it worked in 3.x, and still works in staging.

avatar Harmageddon Harmageddon - open - 13 Sep 2020
avatar joomla-cms-bot joomla-cms-bot - labeled - 13 Sep 2020
avatar infograf768
infograf768 - comment - 13 Sep 2020

The default for anyone below superuser is "Not Allowed."
Screen Shot 2020-09-13 at 16 29 30

It's the same in 3.x

Screen Shot 2020-09-13 at 16 31 33

Once defined as Allowed in the Options, an Administrator can edit modules in frontend.

avatar Harmageddon
Harmageddon - comment - 13 Sep 2020

Once defined as Allowed in the Options, an Administrator can edit modules in frontend.

For me, this doesn't work. I set it to "allowed" in the options of "Modules" (step 2 of the description above).
Does it work on your 4.0 site?

avatar infograf768
infograf768 - comment - 13 Sep 2020

yep.

avatar Formatio-hippocampi
Formatio-hippocampi - comment - 13 Sep 2020

Issue confirmed:

Screen Shot 2020-09-13 at 17 57 54

System Information

php: Linux lamp10.cloudaccess.net 3.10.0-962.3.2.lve1.5.24.4.el6h.x86_64 #1 SMP Thu Nov 15 04:53:17 EST 2018 x86_64
dbserver: mysql
dbversion: 5.7.29-cll-lve
dbcollation: utf8_general_ci
dbconnectioncollation: utf8mb4_general_ci
dbconnectionencryption:
dbconnencryptsupported: true
phpversion: 7.3.21
server: Apache
sapi_name: cgi-fcgi
version: NightlyBuild - Joomla! 4.0.0-beta4-dev Development [ Mañana ] 29-July-2020 18:21 GMT
useragent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:80.0) Gecko/20100101 Firefox/80.0

avatar infograf768
infograf768 - comment - 13 Sep 2020

Screen Shot 2020-09-13 at 18 08 07

Screen Shot 2020-09-13 at 18 09 05

Screen Shot 2020-09-13 at 18 09 32

avatar infograf768
infograf768 - comment - 13 Sep 2020

But then, after clicking the icon
403 You don't have permission to access this. Please contact a website administrator if this is incorrect.

avatar infograf768
infograf768 - comment - 13 Sep 2020

So, confirmed indeed

avatar infograf768
infograf768 - comment - 13 Sep 2020

Please test modifying this line

if (!$this->app->getIdentity()->authorise('core.admin'))

to
if (!$this->app->getIdentity()->authorise('module.edit.frontend', 'com_modules.module.' . $mod->id))

avatar ChristineWk
ChristineWk - comment - 13 Sep 2020

@infograf768

I changed above line accordingly and it looks OK for menue modules.

avatar jwaisner jwaisner - change - 13 Sep 2020
Status New Confirmed
avatar infograf768
infograf768 - comment - 13 Sep 2020

@ChristineWk
yep. I had to resave global config to get a correct result on my test site.
Will do PR.

avatar infograf768 infograf768 - change - 14 Sep 2020
Status Confirmed Closed
Closed_Date 0000-00-00 00:00:00 2020-09-14 07:46:33
Closed_By infograf768
avatar infograf768
infograf768 - comment - 14 Sep 2020

Please test #30636

closing as we have a patch

avatar infograf768 infograf768 - close - 14 Sep 2020
avatar infograf768
infograf768 - comment - 14 Sep 2020

Reopening as PR does not work

avatar infograf768 infograf768 - change - 14 Sep 2020
Status Closed New
Closed_Date 2020-09-14 07:46:33
Closed_By infograf768
avatar infograf768 infograf768 - reopen - 14 Sep 2020
avatar jwaisner jwaisner - change - 18 Sep 2020
Status New Confirmed
avatar Harmageddon
Harmageddon - comment - 26 Sep 2020

New / extended PR approach: #30779. I hope it works this time.

avatar alikon alikon - change - 27 Sep 2020
Status Confirmed Closed
Closed_Date 0000-00-00 00:00:00 2020-09-27 10:06:04
Closed_By alikon
avatar alikon alikon - close - 27 Sep 2020
avatar alikon
alikon - comment - 27 Sep 2020

please test #30779

Add a Comment

Login with GitHub to post a comment