PR-4.0-dev RTC

Pending

User tests: Successful: Unsuccessful:

avatar Harmageddon
Harmageddon
26 Sep 2020

Pull Request for Issue #30628.

Summary of Changes

Extended #30636 using the task parameter in addition to the view.

The frontend module editing feature uses com_config. If a user doesn't have permissions to access com_config, J4 forbids them from editing modules in frontend, even if they have the appropriate permission.
This PR adds a check for the modules view and tasks, which is separate from the com_config permission.

Testing Instructions

  1. Create a user in the "Administrator" (not Super User!) group.
  2. Enable frontend module editing and allow frontend module editing for the "Administrator" group.
  3. Log in to the Administrator account in frontend.
  4. Try to edit a module in frontend. This includes functionality of the buttons "Save", "Save and Close", and "Cancel".

Actual result BEFORE applying this Pull Request

Error 403: You don't have permission to access this.

Expected result AFTER applying this Pull Request

Frontend module editing works as expected.

Please make sure that the user who has only permissions for frontend module editing is still not allowed to access any other parts of com_config in frontend. You can do this with the following steps:

  1. Create a menu item of type "Configuration Manager - Site Configuration Options".
  2. Try to access this menu item with the non-superuser account in frontend.
  3. Create a menu item of type "Configuration Manager - Display Template Options".
  4. Try to access this menu item with the non-superuser account in frontend.
  5. And of course make sure that nobody who doesn't have the permission for frontend module editing is able to do this.
avatar Harmageddon Harmageddon - open - 26 Sep 2020
avatar Harmageddon Harmageddon - change - 26 Sep 2020
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 26 Sep 2020
Category Front End com_config
avatar Harmageddon Harmageddon - change - 26 Sep 2020
The description was changed
avatar Harmageddon Harmageddon - edited - 26 Sep 2020
avatar Harmageddon Harmageddon - change - 26 Sep 2020
The description was changed
avatar Harmageddon Harmageddon - edited - 26 Sep 2020
avatar Harmageddon Harmageddon - change - 26 Sep 2020
The description was changed
avatar Harmageddon Harmageddon - edited - 26 Sep 2020
avatar ChristineWk ChristineWk - test_item - 26 Sep 2020 - Tested successfully
avatar ChristineWk
ChristineWk - comment - 26 Sep 2020

I have tested this item successfully on cb4414c

Tried also the 2nd part:
/display-template-option-pr-30779.html?view=templates
/site-configuration-options-pr-30779.html?view=config
gives: error 403


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/30779.

avatar ceford ceford - test_item - 27 Sep 2020 - Tested successfully
avatar ceford
ceford - comment - 27 Sep 2020

I have tested this item successfully on cb4414c

There was only one snag: where is 'Enable frontend module editing'? It worked so I assume this was set by default.


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/30779.

avatar infograf768
infograf768 - comment - 27 Sep 2020

There was only one snag: where is 'Enable frontend module editing'? It worked so I assume this was set by default.

Screen Shot 2020-09-27 at 09 25 36

and in 3.x with the tip...
Screen Shot 2020-09-27 at 09 26 39

The term Inline is indeed confusing imho as it does not refer strictly to frontend.

avatar infograf768
infograf768 - comment - 27 Sep 2020

@SharkyKZ
Any objection for this one?

avatar ceford
ceford - comment - 27 Sep 2020

@infograf768
Thanks for pointing out Inline Editing. I remember it now and must have set it for a previous test.


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/30779.

avatar infograf768
infograf768 - comment - 27 Sep 2020

Note:

A simple administrator has access by default to template edit (Advanced Tab) => (backend: &view=style&layout=edit)
But has no access in frontend to a template editing page as the controller, the view, the dispatcher and no specific access in templates Options exists to allow it.
It is limited by default to superuser.
Shall we implement this?

avatar Harmageddon
Harmageddon - comment - 28 Sep 2020

Note:

A simple administrator has access by default to template edit (Advanced Tab) => (backend: &view=style&layout=edit)
But has no access in frontend to a template editing page as the controller, the view, the dispatcher and no specific access in templates Options exists to allow it.
It is limited by default to superuser.
Shall we implement this?

I wondered about this as well (however I wasn't sure if I maybe missed any option). Not in this PR, but I'd say generally yes, the template editing should have the appropriate ACL options to configure, just like any other view.
Or are there any security implications discouraging this?

avatar LukasHH LukasHH - test_item - 28 Sep 2020 - Tested successfully
avatar LukasHH
LukasHH - comment - 28 Sep 2020

I have tested this item successfully on cb4414c

I tested it with an own user group which I allowed to edit the frontend of a module.


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/30779.

avatar gostn gostn - test_item - 29 Sep 2020 - Tested successfully
avatar gostn
gostn - comment - 29 Sep 2020

I have tested this item successfully on cb4414c


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/30779.

avatar zero-24
zero-24 - comment - 29 Sep 2020

Note:

A simple administrator has access by default to template edit (Advanced Tab) => (backend: &view=style&layout=edit)
But has no access in frontend to a template editing page as the controller, the view, the dispatcher and no specific access in templates Options exists to allow it.
It is limited by default to superuser.
Shall we implement this?

Anything that allows to edit the template files should be locked down to superuser. Template options sounds fair to me but you have to make sure that only su can edit files.

avatar richard67
richard67 - comment - 30 Sep 2020

@infograf768 Does your comment above keep us from setting RTC for this PR here? It has 2 good tests meanwhile.

avatar Harmageddon
Harmageddon - comment - 6 Oct 2020

@infograf768 Does your comment above keep us from setting RTC for this PR here? It has 2 good tests meanwhile.

IMHO the comment you're referring to is a request for a new or enhanced feature. This feature should be implemented in a new PR, not here, because this PR here fixes a bug.
Maybe @infograf768 can confirm or contradict?

avatar gostn
gostn - comment - 10 Oct 2020

Maybe @infograf768 can confirm or contradict?

avatar infograf768
infograf768 - comment - 11 Oct 2020

I confirm it would be for a new PR

avatar infograf768 infograf768 - change - 11 Oct 2020
Status Pending Ready to Commit
avatar infograf768
infograf768 - comment - 11 Oct 2020

RTC


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/30779.

avatar richard67
richard67 - comment - 15 Oct 2020

IMHO the comment you're referring to is a request for a new or enhanced feature. This feature should be implemented in a new PR, not here, because this PR here fixes a bug.

Who wants to make that PR? @zero-24 Do you want? Or you @Harmageddon ?

avatar richard67 richard67 - change - 15 Oct 2020
Status Ready to Commit Fixed in Code Base
Closed_Date 0000-00-00 00:00:00 2020-10-15 17:38:57
Closed_By richard67
Labels Added: PR-4.0-dev RTC
avatar richard67 richard67 - close - 15 Oct 2020
avatar richard67 richard67 - merge - 15 Oct 2020
avatar richard67
richard67 - comment - 15 Oct 2020

Thanks!

Add a Comment

Login with GitHub to post a comment