[#30779] - [4.0] Fixed frontend module editing for non-superusers.
- Fixed in Code Base
- 15 Oct 2020
- Medium
- Build: 4.0-dev
- # 30779
- Diff
- Harmageddon:fix_frontend_module_editing_v4
User tests: Successful: Unsuccessful:
Pull Request for Issue #30628.
Summary of Changes
Extended #30636 using the task parameter in addition to the view.
The frontend module editing feature uses com_config. If a user doesn't have permissions to access com_config, J4 forbids them from editing modules in frontend, even if they have the appropriate permission.
This PR adds a check for the modules view and tasks, which is separate from the com_config permission.
Testing Instructions
- Create a user in the "Administrator" (not Super User!) group.
- Enable frontend module editing and allow frontend module editing for the "Administrator" group.
- Log in to the Administrator account in frontend.
- Try to edit a module in frontend. This includes functionality of the buttons "Save", "Save and Close", and "Cancel".
Actual result BEFORE applying this Pull Request
Error 403: You don't have permission to access this.
Expected result AFTER applying this Pull Request
Frontend module editing works as expected.
Please make sure that the user who has only permissions for frontend module editing is still not allowed to access any other parts of com_config in frontend. You can do this with the following steps:
- Create a menu item of type "Configuration Manager - Site Configuration Options".
- Try to access this menu item with the non-superuser account in frontend.
- Create a menu item of type "Configuration Manager - Display Template Options".
- Try to access this menu item with the non-superuser account in frontend.
- And of course make sure that nobody who doesn't have the permission for frontend module editing is able to do this.
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Front End com_config |
I have tested this item
There was only one snag: where is 'Enable frontend module editing'? It worked so I assume this was set by default.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/30779.
There was only one snag: where is 'Enable frontend module editing'? It worked so I assume this was set by default.
and in 3.x with the tip...
The term Inline is indeed confusing imho as it does not refer strictly to frontend.
@infograf768
Thanks for pointing out Inline Editing. I remember it now and must have set it for a previous test.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/30779.
Note:
A simple administrator has access by default to template edit (Advanced Tab) => (backend: &view=style&layout=edit)
But has no access in frontend to a template editing page as the controller, the view, the dispatcher and no specific access in templates Options exists to allow it.
It is limited by default to superuser.
Shall we implement this?
Note:
A simple administrator has access by default to template edit (Advanced Tab) => (backend:
&view=style&layout=edit)
But has no access in frontend to a template editing page as the controller, the view, the dispatcher and no specific access in templates Options exists to allow it.
It is limited by default to superuser.
Shall we implement this?
I wondered about this as well (however I wasn't sure if I maybe missed any option). Not in this PR, but I'd say generally yes, the template editing should have the appropriate ACL options to configure, just like any other view.
Or are there any security implications discouraging this?
I have tested this item
I tested it with an own user group which I allowed to edit the frontend of a module.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/30779.
I have tested this item
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/30779.
Note:
A simple administrator has access by default to template edit (Advanced Tab) => (backend:
&view=style&layout=edit)
But has no access in frontend to a template editing page as the controller, the view, the dispatcher and no specific access in templates Options exists to allow it.
It is limited by default to superuser.
Shall we implement this?
Anything that allows to edit the template files should be locked down to superuser. Template options sounds fair to me but you have to make sure that only su can edit files.
@infograf768 Does your comment above keep us from setting RTC for this PR here? It has 2 good tests meanwhile.
@infograf768 Does your comment above keep us from setting RTC for this PR here? It has 2 good tests meanwhile.
IMHO the comment you're referring to is a request for a new or enhanced feature. This feature should be implemented in a new PR, not here, because this PR here fixes a bug.
Maybe @infograf768 can confirm or contradict?
Maybe @infograf768 can confirm or contradict?
I confirm it would be for a new PR
| Status | Pending | ⇒ | Ready to Commit |
RTC
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/30779.
IMHO the comment you're referring to is a request for a new or enhanced feature. This feature should be implemented in a new PR, not here, because this PR here fixes a bug.
Who wants to make that PR? @zero-24 Do you want? Or you @Harmageddon ?
| Status | Ready to Commit | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2020-10-15 17:38:57 |
| Closed_By | ⇒ | richard67 | |
| Labels |
Added:
?
?
|
||
Thanks!
I have tested this item✅ successfully on cb4414c
Tried also the 2nd part:
/display-template-option-pr-30779.html?view=templates
/site-configuration-options-pr-30779.html?view=config
gives: error 403
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/30779.