[#39486] - [4.2] Fix check permission in mod_submenu
- Fixed in Code Base
- 5 Jan 2023
- Medium
- Build: 4.2-dev
- # 39486
- Diff
- heelc29:4.2/admin/modules/submenu
User tests: Successful: Unsuccessful:
Summary of Changes
The check of permissions for the menu items is different between mod_submenu (dashboards) and mod_menu (main menu).
administrator/modules/mod_submenu/src/Menu/Menu.php#L136 ff.
administrator/modules/mod_menu/src/Menu/CssMenu.php#L333 ff.
Testing Instructions
Enable workflows in article options:
Check the content dashboard with a user with these permissions on com_content:
Actual result BEFORE applying this Pull Request
Categories is only displayed in the main menu (also applies to com_contact, ...)
When you click on workflows
Expected result AFTER applying this Pull Request
Categories is displayed in the module of the dashboard
Module containing workflows is not displayed (because no access to core.manage.workflow of com_content)
Link to documentations
Please select:
- No documentation changes for docs.joomla.org needed
- No documentation changes for manual.joomla.org needed
Votes
joomla-cms-bot
- | Category | ⇒ | Modules Administration |
| Status | New | ⇒ | Pending |
I confirm the issue when you click on workflows and the PR fix it. But I have listed here Categories without apply the PR.
User permissions over com_content
I confirm the issue when you click on workflows and the PR fix it. But I have listed here Categories without apply the PR.
@carlitorweb Ah, for my test I denied access core.manage globally and enabled it only for com_content. So without the patch it will try to check the permissions for com_categories that don't exist, thus falling back to the global permissions where core.manage is allowed.
Ok if you allow it globally you could deny it (core.manage) for com_content and then open the content dashboard. Here should the link to categories still visible but when you click on it you will get an 403?
Ok if you allow it globally you could deny it (
core.manage) forcom_contentand then open the content dashboard. Here should the link to categories still visible but when you click on it you will get an 403?
No, the result is same, not show any relate resources to the content component
This are the permissions:
No, the result is same, not show any relate resources to the content component
@carlitorweb Yes, in the main menu (mod_menu) is correct, but at dashboard (mod_submenu) is not correct.
There are tho test cases:
- I described in the test instruction (global: denied; content: allowed)
- Link to Categories is missing at dashboard, although you have access and it is displayed in the (left) main menu
- You tested now (global: allowed; content: denied)
- Link to Categories is displayed at dashboard, although you don't have access and it doesn't displayed in the (left) main menu --> 403 Error
Yes, in the main menu (mod_menu) is correct, but at dashboard (mod_submenu) is not correct.
This is correct, my fault. Now all is okay.
I have tested this item
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/39486.
| Status | Pending | ⇒ | Ready to Commit |
| Labels |
Added:
?
|
||
RTC
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/39486.
| Labels |
Added:
?
|
||
Thank you.
| Status | Ready to Commit | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2023-01-05 12:26:42 |
| Closed_By | ⇒ | roland-d |
I have tested this item✅ successfully on 22bb4fc
can replicate the issue, the pull request solved it.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/39486.