[#34303] - [4.0] Use unset filter to unset created_by data if needed
- Fixed in Code Base
- 15 Jun 2021
- Medium
- Build: 4.0-dev
- # 34303
- Diff
- joomdonation:use_unset_filter
User tests: Successful: Unsuccessful:
Pull Request for Issue # .
Summary of Changes
Our Form API has unset filter which is used to disallow changing certain data if the current user does not have permission to change. We use it to handle other fields such as ordering, published.... https://github.com/joomla/joomla-cms/blob/4.0-dev/administrator/components/com_contact/src/Model/ContactModel.php#L194-L196 , so created_by should not be treated in different way.
Testing Instructions
- Modify this line of code https://github.com/joomla/joomla-cms/blob/4.0-dev/layouts/joomla/form/field/user.php#L138 to:
<?php if (true) : ?>- Apply this PR to your Joomla 4 installation.
The purpose is to have the the hidden field always rendered so that you can use browser inspect element tool to change hidden input variable to change created by data of a record.
-
Login to administrator area of your site using a Manager account (by default, Manager account does not have permission to manage users, so he won't be allowed to change Created By data of article)
-
Access to Content -> Articles, click on an article to edit. Navigate to Publishing tab, look at Created By field, you will see that it is readonly, mean you are not allowed to change Created By of the article
-
Inspect that Created By element, try to change the value of the hidden input (which stores ID of the user who created that article) to a different value
-
Save article. Then edit it again, check and make sure Created By is not changed (it still keeps the original user, not change to the new user which you changed)
Actual result BEFORE applying this Pull Request
Works, but has to override method validate in some model classes. Code is in-consistent with the way we handle other fields.
Expected result AFTER applying this Pull Request
Works, do not need to override validate method in model classes to just unset the field. Code is consistent with how we handle other fields data.
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Administration com_banners com_contact com_content com_fields com_newsfeeds |
Could we have testing instructions by code review ? Or need real test?
Maybe a compromise: Real code review
For this kind of PR, it would be easier for someone who understand how our Form API works to review code than end-user testing. But if real testing is needed, I will try to write testing instructions :)
I don't really understand the Form API.
I don't really understand the Form API
We could not understand/know everything :).
Umm because this is a recent security fix unfortunately I think this one needs testing @joomla/security FYI
OK. I updated the testing instructions. Hope it is clear enough for users to test.
I have tested this item
With and without PR the change of user-id in dev-tools is not saved.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/34303.
@zero-24 @SniperSister Could you please review this PR?
| Labels |
Added:
?
|
||
| Category | Administration com_banners com_contact com_content com_fields com_newsfeeds | ⇒ | Administration com_banners com_categories com_contact com_content com_fields com_newsfeeds |
| Status | Pending | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2021-06-15 23:13:42 |
| Closed_By | ⇒ | wilsonge |
Yup I'm OK with that. Thankyou!
@zero-24 @SniperSister Do you know if it had security related reasons why we did it like we did and not like proposed by this PR here for the created_by field?