User tests: Successful: Unsuccessful:
Pull Request for Issue #30628.
Extended #30636 using the task
parameter in addition to the view.
The frontend module editing feature uses com_config
. If a user doesn't have permissions to access com_config
, J4 forbids them from editing modules in frontend, even if they have the appropriate permission.
This PR adds a check for the modules
view and tasks, which is separate from the com_config
permission.
Error 403: You don't have permission to access this.
Frontend module editing works as expected.
Please make sure that the user who has only permissions for frontend module editing is still not allowed to access any other parts of com_config
in frontend. You can do this with the following steps:
Status | New | ⇒ | Pending |
Category | ⇒ | Front End com_config |
I have tested this item
There was only one snag: where is 'Enable frontend module editing'? It worked so I assume this was set by default.
@infograf768
Thanks for pointing out Inline Editing. I remember it now and must have set it for a previous test.
Note:
A simple administrator has access by default to template edit (Advanced Tab) => (backend: &view=style&layout=edit
)
But has no access in frontend to a template editing page as the controller, the view, the dispatcher and no specific access in templates Options exists to allow it.
It is limited by default to superuser.
Shall we implement this?
Note:
A simple administrator has access by default to template edit (Advanced Tab) => (backend:
&view=style&layout=edit
)
But has no access in frontend to a template editing page as the controller, the view, the dispatcher and no specific access in templates Options exists to allow it.
It is limited by default to superuser.
Shall we implement this?
I wondered about this as well (however I wasn't sure if I maybe missed any option). Not in this PR, but I'd say generally yes, the template editing should have the appropriate ACL options to configure, just like any other view.
Or are there any security implications discouraging this?
I have tested this item
I tested it with an own user group which I allowed to edit the frontend of a module.
I have tested this item
Note:
A simple administrator has access by default to template edit (Advanced Tab) => (backend:
&view=style&layout=edit
)
But has no access in frontend to a template editing page as the controller, the view, the dispatcher and no specific access in templates Options exists to allow it.
It is limited by default to superuser.
Shall we implement this?
Anything that allows to edit the template files should be locked down to superuser. Template options sounds fair to me but you have to make sure that only su can edit files.
@infograf768 Does your comment above keep us from setting RTC for this PR here? It has 2 good tests meanwhile.
@infograf768 Does your comment above keep us from setting RTC for this PR here? It has 2 good tests meanwhile.
IMHO the comment you're referring to is a request for a new or enhanced feature. This feature should be implemented in a new PR, not here, because this PR here fixes a bug.
Maybe @infograf768 can confirm or contradict?
Maybe @infograf768 can confirm or contradict?
I confirm it would be for a new PR
Status | Pending | ⇒ | Ready to Commit |
RTC
IMHO the comment you're referring to is a request for a new or enhanced feature. This feature should be implemented in a new PR, not here, because this PR here fixes a bug.
Who wants to make that PR? @zero-24 Do you want? Or you @Harmageddon ?
Status | Ready to Commit | ⇒ | Fixed in Code Base |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2020-10-15 17:38:57 |
Closed_By | ⇒ | richard67 | |
Labels |
Added:
?
?
|
Thanks!
I have tested this item✅ successfully on cb4414c
Tried also the 2nd part:
/display-template-option-pr-30779.html?view=templates
/site-configuration-options-pr-30779.html?view=config
gives: error 403
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/30779.