[#36273] - [4.x] - com_config ACL backward compatibility issue
- Closed
- 7 Feb 2023
- Medium
- Build: 4.2-dev
- # 36273
Steps to reproduce the issue
- Create a custom component with configurable options (com_config).
- Create a user group with the required ACL privileges to manage the component's configuration.
- Create a view with a toolbar containing an
Optionsbutton, allowing the privileged user to manage the custom component's configuration. - Display the view and click the
Optionsbutton.
Expected result
- A com_config view, displaying only the options for the custom component.
Actual result
- A 403 error with the message 'You don't have permission to access this. Please contact a website administrator if this is incorrect`.
System information (as much as possible)
- Joomla! 4.0.4
Additional comments
The above 'Steps to reproduce the issue' worked perfectly fine in Joomla! 3.x and gave the 'Expected result'. A major change in the way components are dispatched in Joomla! 4, involving the new Joomla\CMS\Dispatcher\ComponentDispatcher class, interferes with this behavior. More specifically, ComponentDispatcher::checkAccess() checks a user's com_config management permission, before com_config has the chance to verify, in its HtmlView (questionable in itself), for which component management actually is requested.
Adding a custom Dispatcher to com_config is one way to solve the problem. A minimal .../administrator/components/com_config/src/Dispatcher/Dispatcher.php could look like so:
<?php
/**
* @package Joomla.Administrator
* @subpackage com_fields
*
* @copyright (C) 2017 Open Source Matters, Inc. <https://www.joomla.org>
* @license GNU General Public License version 2 or later; see LICENSE.txt
*/
namespace Joomla\Component\Config\Administrator\Dispatcher;
\defined('_JEXEC') or die;
use Joomla\CMS\Access\Exception\NotAllowed;
use Joomla\CMS\Dispatcher\ComponentDispatcher;
/**
* ComponentDispatcher class for com_config
*
* @since __DEPLOY_VERSION__
*/
class Dispatcher extends ComponentDispatcher
{
/**
* Method to check component access permission
*
* @since __DEPLOY_VERSION__
*
* @return void
*/
protected function checkAccess()
{
if (empty($component = $this->app->getInput()->getCmd('component', '')))
{
parent::checkAccess();
return;
}
if (!$this->app->getIdentity()->authorise('core.manage', $component))
{
throw new NotAllowed($this->app->getLanguage()->_('JERROR_ALERTNOAUTHOR'), 403);
}
}
}
@joomdonation Unfortunately, this is a bad time for me to spend on anything other than a client project at a critical stage. Moreover, I am too sloppy and clumsy and seem to lack the minimum skills and intelligence required to complete PRs successfully. So I suggest someone else picks this up.
OK. Thanks @pjdevries for the answer. We will try to find someone to complete the PR, then :).
This have been hunting me for years!
| Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2023-02-07 15:31:43 |
| Closed_By | ⇒ | joomdonation |
@pjdevries Sorry for lately response. Your suggested solution is good, except that :
For reference, here is the code in Joomla 3 https://github.com/joomla/joomla-cms/blob/3.10-dev/administrator/components/com_config/controller/component/save.php#L54-L67
Could you please make a PR with the necessary changes? Many thanks !