Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#41380] - How to override getLimitBox() function in joomla 4.3?

Feature No Code Attached Yet Maintainers Checked
avatar itmagpro
itmagpro
17 Aug 2023

Hello!

I want to in joomla 4.3 remove option "All" from select limit box:

<select id="limit" name="limit" class="form-select" onchange="this.form.submit()">
	...
	<option value="0">All</option>
</select>

Because this option destructive on very bigger sites with very large items!

But I find, that this hardcoded in /libraries/src/Pagination/Pagination.php in function getLimitBox():

public function getLimitBox()
{
    $limits = [];

    // Make the option list.
    for ($i = 5; $i <= 30; $i += 5) {
        $limits[] = HTMLHelper::_('select.option', "$i");
    }

    $limits[] = HTMLHelper::_('select.option', '50', Text::_('J50'));
    $limits[] = HTMLHelper::_('select.option', '100', Text::_('J100'));
    $limits[] = HTMLHelper::_('select.option', '0', Text::_('JALL'));
    ...
}

I not find any way for override getLimitBox() function.

Only "solution" this disable display limit box in configuration.

Somebody, instead disable display limit box, know some other way for override getLimitBox() function?

And what thinking joomla dev about this 'JALL'.., this must be some way configurable?

May be need add additional knob in Global configuration, on Site tab, as Allow show All?!

avatar itmagpro itmagpro - open - 17 Aug 2023
avatar joomla-cms-bot joomla-cms-bot - change - 17 Aug 2023
Labels Added: No Code Attached Yet
avatar joomla-cms-bot joomla-cms-bot - labeled - 17 Aug 2023
avatar itmagpro itmagpro - change - 17 Aug 2023
The description was changed
avatar itmagpro itmagpro - edited - 17 Aug 2023
avatar brianteeman
brianteeman - comment - 17 Aug 2023

You are looking at the wrong code.

You should be looking at the code for the limitboxfield in libraries\src\Form\Field

avatar itmagpro
itmagpro - comment - 17 Aug 2023

You are looking at the wrong code.

You should be looking at the code for the limitboxfield in libraries\src\Form\Field

very nice, but how to override him and remove JALL?

Only one small additional knob in Global configuration, on Site tab, as "Allow show All" must solved this important issue.

avatar itmagpro itmagpro - change - 17 Aug 2023
The description was changed
avatar itmagpro itmagpro - edited - 17 Aug 2023
avatar chmst
chmst - comment - 17 Aug 2023

Thanks for providing this suggestion. I never thought about that but if your admins use the "All" option on a really huge Data base, it can indeed be an issue. We keep this as a feature request.

avatar chmst chmst - change - 17 Aug 2023
Labels Added: Feature
avatar chmst chmst - labeled - 17 Aug 2023
avatar brianteeman
brianteeman - comment - 17 Aug 2023

Even on a site with 50,000 articles the ALL has a useful function as it applies to the filtered list as well as an unfiltered list

avatar itmagpro
itmagpro - comment - 17 Aug 2023

@chmst
Thanks for providing this suggestion. I never thought about that but if your admins use the "All" option on a really huge Data base, it can indeed be an issue. We keep this as a feature request.

this not only if admins use the "All" option, very dagerous when this option accesible on frontend for all users! this potential hole for DDOS attack on a site/server

more useful if Limit length element list will be more adjustable as min -> max value...[5, 10, 15, 20, 25, 30, 50, 100, 200, 500, 0]

impatiently we will be wait to the implementation

avatar Gratia-Mira
Gratia-Mira - comment - 26 Feb 2024

@itmagpro
I agree! Certain Joomla extensions have recognised this problem and let the request "ALL" run into the void. Not such a great way either.

But there is a very simple way to hide this with jQuery. Simply insert this code at the end of the body as a workaround. "id" and "option" must of course be adapted.
<script> $('select[id="limit"] option[value="0"]').remove(); </script>

(You've probably already figured it out.)

avatar itmagpro
itmagpro - comment - 29 Feb 2024

@Gratia-Mira
Nice! But, this just fake masquerade and not protect from direct requests...

avatar ReLater
ReLater - comment - 29 Feb 2024

Certain Joomla extensions have recognised this problem and let the request "ALL" run into the void.

Custom components can use attributes limits and/or remove and/or showall="false" in fields of type Limitbox to change the options.

But there is a very simple way to hide this with jQuery.

One can also override JLayout layouts\joomla\form\field\list.php by adding a condition like (at least in Joomla 5)

if ($name === 'list[limit]')
{
	foreach($options as $key => $option)
	{
		if ($option->value == 0)
		{
			unset($options[$key]);
		}
	}
}

I know, you'll find a more elegant way ;-)

grafik

But, this just fake masquerade and not protect from direct requests...

I don't think that there is a practicable way in Joomla core without changing many of files (mainly models and/or tables) to avoid these requests even if there is a global setting to hide JALL in limitboxes.

avatar itmagpro
itmagpro - comment - 1 Mar 2024

@ReLater

... I don't think that there is a practicable way in Joomla core without changing many of files (mainly models) to avoid these requests even if there is a global setting to hide JALL in limitboxes.

exactly, and this very bad! This is very important hole for site with big/huge DB!

P.S. DDOS welcom ... or some how to filter requests on OS layer and drop JALL (if isset this value in request)

UPD ...global setting MUST BY NOT hide JALL, but MUST BY FORBIDDEN (on joomla core layer) if this defined in global setting! This is posible! And not need changing many of files (mainly models), need change joomla core in this part (pagination etc)! Understand, ok? But who do this? I? But no have time (war and etc), and no donate no love no peace in this hostile world...

avatar itmagpro
itmagpro - comment - 2 Mar 2024

We found crutch-feature for fix this hole for all whole site, and also tested - rewrite _REQUEST in defines.php, enjoy guys :)

avatar rdeutz
rdeutz - comment - 27 Apr 2024

We found crutch-feature for fix this hole for all whole site, and also tested - rewrite _REQUEST in defines.php, enjoy guys :)

Great idea to use user provided content without filtering, don't do that!

If you really can wait make a system plugin and try to change it onAfterRoute something.

avatar HLeithner
HLeithner - comment - 28 Apr 2024

create a plugin with the following function

class DisableShowAll extends CMSPlugin implements SubscriberInterface
{
    public static function getSubscribedEvents(): array
    {
        return [
            'onContentPrepareForm'      => 'onContentPrepareForm',
        ];
            
    }
    public function onContentPrepareForm(PrepareFormEvent $event)
    {
        $form    = $event->getForm();

        $xml     = $form->getXml();
        $elements = $xml->xpath('//field[@type="limitbox"]');
        
        foreach($elements as $element) {
            $element->addAttribute('showall', 'false');
        }
    }
}

How to create plugins can be found at https://manual.joomla.org/docs/next/building-extensions/plugins/basic-content-plugin.

I added this issue to the next Wednesday maintainer meeting.

avatar itmagpro
itmagpro - comment - 28 Apr 2024

We found crutch-feature for fix this hole for all whole site, and also tested - rewrite _REQUEST in defines.php, enjoy guys :)

Great idea to use user provided content without filtering, don't do that!

If you really can wait make a system plugin and try to change it onAfterRoute something.

@rdeutz you understand what you talk? Explain to me, please, how we can "to use user provided content without filtering" when we only filtering (check) and set need value in $_REQUEST['list']['limit'] parameter? Explain to me, please, - or dont spam here about nothing!

HLeithner
DisableShowAll plugin...

Nice! But, this just fake masquerade and not protect from direct requests! @HLeithner - you not enoug understand this issue.

Originally posted by @itmagpro in #41380 (comment)

No need any plugins, [rewrite _REQUEST in defines.php] enoug elegance solution for fix this joomla bug! enjoy guys :)

Originally posted by @itmagpro in #41380 (comment)

avatar brianteeman
brianteeman - comment - 28 Apr 2024

wow - some automated translators are either really bad or realy rude

avatar HLeithner
HLeithner - comment - 28 Apr 2024

@itmagpro your tone is very rude, if you don't stop this insulting and start to communicate in a nice way with people trying to help you, will end in an temporary ban from this repo.

avatar itmagpro
itmagpro - comment - 28 Apr 2024

@itmagpro your tone is very rude, if you don't stop this insulting and start to communicate in a nice way with people trying to help you, will end in an temporary ban from this repo.

@HLeithner My tone is very nice and without empty words!

NO ONE BODY NOT HELPED ME HERE!!!

I HELPED BY ME SELF!

SO... - fuc.you all, spammers! Bye.

avatar HLeithner
HLeithner - comment - 28 Apr 2024

At least you are making it easy for us. I banned you until further notice.

beside that robert gave you the hint to implement your filter in a system plugin in the onafterroute event.
I explained you how to fix the form fields.

Anyway we will look on this again on Wednesday

avatar rdeutz rdeutz - change - 9 May 2024
Labels Added: Maintainers Checked
avatar rdeutz rdeutz - labeled - 9 May 2024
avatar rdeutz
rdeutz - comment - 9 May 2024

We discussed this yesterday in the weekly maintainers meeting. We think a good first step would be to have a layout for this. If someone wants to make a PR, we are happy to look at it.

Add a Comment

Login with GitHub to post a comment