[#3619] - Backport JUser::getInstance(0) fix from Joomla 3
- Closed
- 27 Jul 2014
- Medium
- Build: 2.5.x
- # 3619
- Diff
- beat:patch-4
User tests: Successful: Unsuccessful:
This PR proposes to backport to 2.5.x Juser::getInstance(0); fix form Joomla 3.0 Commit c7c3722 (which is an import including Joomla Platform Commit joomla/joomla-platform@0afde04#diff-5954647dc2fd6222bf4424b083506d75 ).
This is triggering a bug in Joomla when someone tries to get an instance of JUser(0) when not logged-in.
To reproduce the bug:
- Add line
JUser::getInstance();to a plugin that gets loaded, go to Joomla backend, log-in and see that UserAccessLevels are wrong as caching happens here: https://github.com/joomla/joomla-cms/blob/2.5.x/libraries/joomla/user/user.php#L452 . Moreover if that JUser gets saved it would auto-create a new user, according to the comment.
Both Kunena and CB projects ran into this 2.5-only bug during beta tests these last months.
A simple code review will show that this is a no-brainer, and could be a potential security issue if Joomla or an extension tries to instanciate JUser id 0 this way.
Link to exact same lines missing in 2.5.x (including 2.5.20) but existing in Joomla 3 since 3.0:
https://github.com/joomla/joomla-cms/blob/staging/libraries/joomla/user/user.php#L265
Cross-posting from JC:
Hello,
I understand the code and see what it does. What I don't see is how I can confirm this in the GUI. What should I see before and after the change?
I don't notice anything out of th ordinary in the Viewing Access Levels.
Some pointers please.
Merged into 2.5.
| Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2014-07-27 17:57:35 |
http://joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemEdit&tracker_item_id=33758&start=0