[#39706] - Serious ACL Problems
- Closed
- 7 Feb 2023
- Medium
- Build: 4.2-dev
- # 39706
or I just don't get it
Steps to reproduce the issue
Create a user with Manager permissions
Login with that user and confirm that for com_content there is no Options button
Log back in as a super user and go to the com_content options and change the permissions to give the Manager permission for the options.
Log back in as a manager confirm that for com_content there now is an Options button
Expected result
Clicking on the Options button will display the options for the component
Actual result
403 Access denied
Additional comments
The button is displayed because the code checks that you gave permission to the component for that user.
However you dont get access because you do not have permission to access the admin interface of com_config which can only be set in global configuration and would give access to all the components
Either I am missing something or this is a serious bug in the ACL system.
joomla-cms-bot
- | Labels |
Added:
No Code Attached Yet
|
||
@brianteeman Also noticed it
@joomdonation go for it :)
I do not know if this is connected but I was also confused that I gave an user Access to create Users but the buttons for this were not shown because the buttons are assigned to user group special. I thought that the buttons should be also shown depending on the general access and not by module acl. ?
I thought that the buttons should be also shown depending on the general access and not by module acl. ?
@coolcat-creations your assumption is correct
@richard67 If it was up to me, Id close #36273 (especially after reading #36273 (comment))
| Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2023-02-07 15:31:23 |
| Closed_By | ⇒ | joomdonation |
You are not missing anything. There is a bug in com_config ACL check, also reported before here #36273 . I'm going to make a PR to fix this issue in the next few days if no one is faster.