No Code Attached Yet
avatar robbiejackson
robbiejackson
16 Jun 2023

Steps to reproduce the issue

On a new install of Joomla go in the backend to a component which has categories, eg com_contact, and display the Categories view. There should just be the Uncategorised category which is installed by default.

Click on the Uncategorised category to edit it, and go to the Permissions tab. Against Administrator in the left hand panel, change the Create setting from Inherited to Denied.

Next create a new user who has the Assigned User Group of just Administrator.

Login to the back-end of Joomla as this new user, and navigate to the com_contact Categories view.

Then click the New button.

Expected result

It should show the form for creating a new category.

Actual result

Joomla crashes with

Argument 2 passed to Joomla\CMS\Toolbar\Toolbar::versions() must be of the type int, null given, called in C:\wamp64\www\j426\administrator\components\com_categories\src\View\Category\HtmlView.php on line 239

System information (as much as possible)

Joomla 4.3.1 on Windows 10

Additional comments

The problem is in the line which is some lines above (line 193 in joomla 4.3.1):

if ($isNew && (count($user->getAuthorisedCategories($component, 'core.create')) > 0)) {

The getAuthorisedCategories function queries the database looking for existing categories on which this user has the core.create permission.

If it doesn't find any (which is the case created by changing the permission on Uncategorised as described above) then the logic drops down to code which is associated with editing an existing record (after the else statement on line 205) and causing the specific crash on line 239:

$toolbar->versions($typeAlias, $this->item->id);

because for a new record the item id is null.

There is another problem in that getAuthorisedCategories is being called with the first parameter set to $component when I believe it should be set to $extension. This shows itself as a problem when you have a component which uses 2 or more category fields, eg if com_product has one category field relating to size and another category field relating to price, and is implemented by (in manifest XML)

<administration>
  <submenu>
    <menu link="option=com_categories&amp;extension=com_product.size">Size Categories</menu>
    <menu link="option=com_categories&amp;extension=com_product.price">Price Categories</menu>
...

This will cause records to be written to the #__categories table with the extension field set to "com_product.size" or "com_product.price", and (if com_product has permissions at the asset level) records written to the #__assets table with the name field set to "com_product.size.category.2", "com_product.price.category.3" etc. With the way that the call to getAuthorisedCategories is written currently, these records won't be found (because it's looking for just records with "com_product").

Actually I'm not sure why it's trawling through the database anyway looking for these records. I would have thought that it would have been sufficient to check the $canDo object instead, as in:

if ($isNew) {
    // For new records, check the create permission.
    if ($this->canDo->get('core.create')) 
    {
    // add toolbar buttons
    }
} else (
    // Toolbar buttons relating to an existing record.
avatar robbiejackson robbiejackson - open - 16 Jun 2023
avatar robbiejackson robbiejackson - change - 16 Jun 2023
Labels Removed: ?
avatar joomla-cms-bot joomla-cms-bot - change - 16 Jun 2023
Labels Added: No Code Attached Yet
avatar joomla-cms-bot joomla-cms-bot - labeled - 16 Jun 2023
avatar heelc29
heelc29 - comment - 17 Jun 2023

Could you take a look at the issue #40456 and the solution #40484 to it that is included in J4.3.2?

avatar robbiejackson
robbiejackson - comment - 17 Jun 2023

@heelc29 Yes, that fixes it ok. This PR can be closed.


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/40784.

avatar richard67 richard67 - close - 17 Jun 2023
avatar richard67
richard67 - comment - 17 Jun 2023

Closing as already fixed with PR #40484 .

avatar richard67 richard67 - change - 17 Jun 2023
Status New Closed
Closed_Date 0000-00-00 00:00:00 2023-06-17 13:44:50
Closed_By richard67
avatar richard67
richard67 - comment - 17 Jun 2023

@heelc29 @robbiejackson Thanks for checking.

Add a Comment

Login with GitHub to post a comment