[#30778] - Fixed frontend module editing permissions.
- Fixed in Code Base
- 30 Oct 2020
- Medium
- Build: staging
- # 30778
- Diff
- Harmageddon:fix_frontend_module_permissions
- Success Download Prebuilt packages are available for download. Details
- Success continuous-integration/drone/pr Build is passing Details
- Success continuous-integration/appveyor/pr AppVeyor build succeeded Details
- Pending JTracker/HumanTestResults Human Test Results: 1 Successful 0 Failed. Details
User tests: Successful: Unsuccessful:
Version: Joomla! 3.x
In #6113, the permission check for editing a module in frontend was checked from "return error if user is not allowed to edit this module OR if user is not allowed to edit any module" to "return error if user is not allowed to edit this module AND if user is not allowed to edit any module". The intention was to allow users to edit a single module even if they are lacking the general permission to edit modules in frontend.
However, this introduces a problem for the inverse case: A user that generally may edit frontend modules, but should not be allowed to edit one particular module. For this case, the "OR" construction worked and the "AND" doesn't.
Summary of Changes
I suggest to get rid of the check of the general permission. If there are no permission rules for the particular module, Joomla's ACL has an automatic fallback to the general permissions for frontend module editing. So I don't see any need to check both rules. Please correct me if I'm mistaken!
Testing Instructions
For the frontend steps, you need a user who is no "Super Administrator", but in another user group, for example "Administrator". For the backend steps, use your "Super Administrator" account or at least an account who has the permissions to edit permissions.
- Backend: Navigate to "Extensions - Modules - Options". Under "Permissions", set the "Frontend Editing" permission for the "Administrator" user group to "inherited". This should result to a calculated permission of "Not Allowed (Inherited)".
- Backend: Edit a module. In the "Permissions" tab, set the "Frontend Editing" permission for "Administrator" to "Allowed". Hit "Save and Close".
- Frontend: Make sure you can edit this particular module and no other module. While editing the module, save the URL of the edit form for later usage. Change something and hit "Save and Close".
- Backend: Navigate to "Extensions - Modules - Options". Under "Permissions", set the "Frontend Editing" permission for the "Administrator" user group to "Allowed".
- Frontend: Make sure you can edit and save all modules on the site.
- Backend: Edit a module. In the "Permissions" tab, set the "Frontend Editing" permission for "Administrator" to "Denied". Hit "Save and Close".
- Frontend: Make sure that there is no button to edit this particular module. For all others however, the button is there. Make sure you still can edit all other modules by changing values and saving them.
- Frontend: Nevertheless, try to access the module edit form using the URL you saved in step 3. Change some values and hit "Save and Close".
Actual result BEFORE applying this Pull Request
Although you shouldn't be allowed to do this, you can edit the module in step 8.
Expected result AFTER applying this Pull Request
Step 8 should result in a "You are not allowed to view this resource" error. All other steps should still work like before (e.g. follow the ACL permissions).
Documentation Changes Required
None
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Front End com_config |
| Labels |
Added:
?
|
||
I rebased it and the tests passed. Thank you!
I have tested this item
Perfect test instructions!
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/30778.
I have tested this item
Phew :-) Thanks for your instructions!
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/30778.
| Status | Pending | ⇒ | Ready to Commit |
RTC
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/30778.
rdeutz
- | Status | Ready to Commit | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2020-10-30 12:48:32 |
| Closed_By | ⇒ | rdeutz | |
| Labels |
Added:
?
|
||
@Harmageddon Could you merge latest staging of the cms repo into your branch for this PR to get the latest updates from the CMS? There was an error in the staging branch for a while which is fixed now, and this error made all system and unit tests fail, so we can't really see if they would be successful for your PR or not. Thanks in advance.