[#35687] - Joomla 3.x and 4.x ACL - author access level
- New
- Medium
- Build: 4.0-dev
- # 35687
Steps to reproduce the issue
Both in J3 and j4 we have a preinstalled user groups and access permissions for this groups. On of them is Author.
Author can do:
- site login
- create (any items)
- edit own (items)
Check this in Global configuration - Permissions.
Create a user with Author access level and try to create an article (com_content) via frontend.
Expected result
We expect that Author can create it's own item, save and close it and go to drink a cup of coffee. Then after a while he can return and resume it's job. He goes to category, select his unfinished article and continue to edit and to save it.
Actual result
Author goes to category where he created an article and sees nothing. He can't see it's own unpublished article.
If we add to Author ability to Edit (Global configuration - Permissions) or Edit sate - then Author can see unpublished articles. But also he can change article state and publish it without verification by Editor. Or he can edit all articles, not only own.
System information (as much as possible)
Checked it on Joomla 3.10.2 and 4.0.3
joomla-cms-bot
- | Labels |
Added:
No Code Attached Yet
|
||
I tested a workflow on j4and find, that author can't see his own articles. I try to repeat this on j3 and found it too.
as I expected
there are some extensions?
No. It cant be done because as reported the core acl doesnt allow it. Try it and see.
Would it need an additional "setting" in which the author can edit own articles only when they are still unpublished?
afaict yes that is the only way
Hackwar
- | Labels |
Added:
bug
|
||
I don't know the code but just from the words i believe it could be just a simple bug.
edit own permission should be the same with edit with an AND clause that only things created by me could be edited.
Can someone point me to the correct file that these permissions are defined? i 'm not a programmer but i understand algorithms.
Of course i am not sure about what i assume so plz be patient if it is something extremely difficult to fix.
A question to you, @peteruoi: I understood that the user in you issue cannot see the unpublished articles in the frontend list, but could you check if the user can actually edit his unpublished article in the frontend?
To check you could just replace the article id in the URL to the frontend editor
- Copy the edit link from a published article by this user (an article the user can see and edit with the "edit own" permission)
- replace the article ID parameter in the URL to an unpublished article by this user (If I remember correctly it should be the
&aid=XXpart) - try to open that url while still being logged in as that user
If the user can then open and use the editor with this link, this is only a bug in the article list model. I know of similar bugs (unpusblished articles not showing up in some rather "weird" ACL configurations)
To answer your question and to explain my reply: The permission checks in lists and the editor itself are not the same code. So the check in the list might have the bug, but the check in the editor itself might work correctly. So there is no single file where this is defined...
shouldn't this task can be done with workflow in J4 ?
https://magazine.joomla.org/all-issues/march-2021/joomla-4-the-new-publishing-workflow-feature