Joomla! Issue Tracker | Joomla! CMS #39485 - [4.2] Fix permission overridecheck quickicon

? ?

Fixed in Code Base
29 Dec 2022
Medium
Build: 4.2-dev
# 39485
Diff
heelc29:4.2/plugins/quickicon/overridecheck

Pending

User tests: Successful: Unsuccessful:

heelc29
24 Dec 2022

Summary of Changes

The permission for show the quickicon and the link/ajax do not match (com_installer vs. com_templates)

joomla-cms/plugins/quickicon/overridecheck/overridecheck.php

Lines 68 to 77 in e9b9263

    
           if ($context !== $this->params->get('context', 'update_quickicon') || !$this->app->getIdentity()->authorise('core.manage', 'com_installer')) { 
        
               return array(); 
        
           } 
        
           $token    = Session::getFormToken() . '=1'; 
        
           $options  = array( 
        
               'url'      => Uri::base() . 'index.php?option=com_templates&view=templates', 
        
               'ajaxUrl'  => Uri::base() . 'index.php?option=com_templates&view=templates&task=template.ajax&' . $token, 
        
               'pluginId' => $this->getOverridePluginId(), 
        
           );

Testing Instructions

Check the admin dashboard with a user with these permissions:

Actual result BEFORE applying this Pull Request

Ajax request get 403 status (forbidden)

When you click on the quickicon

Expected result AFTER applying this Pull Request

The quickicon is no longer displayed

Now if you swap permissions for com_installer/com_templates, the quickicon works correctly:

Link to documentations

Please select:

No documentation changes for docs.joomla.org needed
No documentation changes for manual.joomla.org needed

Votes

# of Users Experiencing Issue

1/1

Average Importance Score

3.00

9427139 24 Dec 2022

[4.2] Fix permission overridecheck quickicon

joomla-cms-bot - change - 24 Dec 2022

Category

⇒

Front End Plugins

heelc29 - open - 24 Dec 2022

heelc29 - change - 24 Dec 2022

Status

New

⇒

Pending

carlitorweb - test_item - 25 Dec 2022 - Tested successfully

carlitorweb - comment - 25 Dec 2022

I have tested this item ✅ successfully on 9427139

Note: For get the right permission the test require, is enough with create a user under Registered group and add the "Access Administration Access" from the global configuration permissions. From there you can follow the test indication.

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/39485.}

viocassel - test_item - 28 Dec 2022 - Tested successfully

viocassel - comment - 28 Dec 2022

I have tested this item ✅ successfully on 9427139

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/39485.}

Quy - change - 28 Dec 2022

Status	Pending	⇒	Ready to Commit
Labels	Added: ?

Quy - comment - 28 Dec 2022

RTC

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/39485.}

efc3878 29 Dec 2022

Merge branch '4.2-dev' into 4.2/plugins/quickicon/overridecheck

roland-d - change - 29 Dec 2022

Labels

Added: ?

roland-d - close - 29 Dec 2022

roland-d - merge - 29 Dec 2022

roland-d - change - 29 Dec 2022

Status	Ready to Commit	⇒	Fixed in Code Base
Closed_Date	0000-00-00 00:00:00	⇒	2022-12-29 11:15:26
Closed_By		⇒	roland-d

roland-d - comment - 29 Dec 2022

Thank you

Add a Comment

Older
Newer

Joomla! Issue Tracker - CMS

[#39485] - [4.2] Fix permission overridecheck quickicon

Summary of Changes

Testing Instructions

Actual result BEFORE applying this Pull Request

Expected result AFTER applying this Pull Request

Link to documentations

Votes

Add a Comment

	if ($context !== $this->params->get('context', 'update_quickicon') \|\| !$this->app->getIdentity()->authorise('core.manage', 'com_installer')) {
	return array();
	}

	$token = Session::getFormToken() . '=1';
	$options = array(
	'url' => Uri::base() . 'index.php?option=com_templates&view=templates',
	'ajaxUrl' => Uri::base() . 'index.php?option=com_templates&view=templates&task=template.ajax&' . $token,
	'pluginId' => $this->getOverridePluginId(),
	);