Actually this is intended behavior. You are not allowed to see the form if you're not allowed to edit/create it (eg you have no business to do there).
You are also not allowed to directly load the form together with an article id. You need to go through the edit task first. Otherwise you get an error taht you're not allowed to access this page directly.

Why would you want to see the form if you have no permissions to do anything with it?
What do you mean with "creative use of the input form"? It sounds like you want to hack something and Joomla rightfully tells you that you're being way to creative

Closing as it's not a bug.

PS: com_users is obviously different because a guest needs to see the form to register

Well, I'm sure the programmer intended it to be like this, but that does not change that the logic is wrong: you are not creating or editing anything by displaying a form. Yes, you could choose not to display the input form to unprevileged users, to help them knowing what they are allowed to do. This is solved nicely in other parts of com_content: the model is checking whether the user is allowed to change the item state. This info is saved in $item->params in parameter "access-change". Also info on whether a user has access to edit this particular item is registered in parameter "access-edit". This information is then used in edit.php, to help display the right options for the user, and not show a access - dropdown if the user is not allowed to change the access. However, a malicious programmer can easily override this, and modify the page html on the fly, to add in a state select input. So the actual security is in the controller or model when saving the data, not in displaying the form.

So, if you intend to keep this behavior, I would prefer if you move the privilege-check to edit.php, so it is possible to easily override it by programmers.

This comment was created with the J!Tracker Application at http://issues.joomla.org/.

Yes, it was intended by the coder who wrote it. Probably because there was no reason to actually show a form when you're not allowed to use it anyway.
If we add the checks in edit.php, it would mean that we remove/disable everything as the user isn't allowed to edit anything. Basically it is the same as now, but instead of an error message which tells you that you're not authorised it would show you an empty/readonly form. Not much better.

I'm still wondering what the actual use case would be to allow showing that form.

The use case could be as simple as allowing an unprivileged user to write an article, but make him have to register before the article is actually committed.

I think it would be good to be open to the fact that software like the joomla core can be used in many ways you yourself has not thought of, thats the beauty of it. Adding security and improving user interaction is good, but disabling functionality if it does not improve security is bad.

You can still redirect to a 403 - message in edit.php, but this way it is trivial for programmers to override this restriction and display the form regardless of access privileges.


This comment was created with the J!Tracker Application at http://issues.joomla.org/.

Surely in that example the unprivileged user will see the form and complete it only for it to be rejected when they hit submit

The use case could be as simple as allowing an unprivileged user to write an article, but make him have to register before the article is actually committed.

That use case is actually already possible without any modifications at all. Set the permissions so the "Guest" usergroup is allowed to create a new article, and your form will show. Any visitor can create an article which then needs to be approved by a "publisher".
So if you need that form to be accessible by anyone, just set the correct permissions so they're allowed to create and everything works.

OK, now you're just beeing stubborn, defending yourself and not reading what I write.

I think it would be good to be open to the fact that software like the joomla core can be used in many ways you yourself has not thought of, thats the beauty of it.

My point is there are many use cases displaying the form does not mean you are allowed to save the data. Of course my example could be solved like you suggest, but you could also force the user to register on submit, so when the article is submitted, there actually is a valid user.

In conclusion, it is generally wrong to disallow something because of lacking create /edit - privileges, when nothing is created or edited. If you do this, it should be possible to override this behavior.


This comment was created with the J!Tracker Application at http://issues.joomla.org/.

My point is there are many use cases displaying the form does not mean you are allowed to save the data. Of course my example could be solved like you suggest, but you could also force the user to register on submit, so when the article is submitted, there actually is a valid user.

My point was that you didn't show a use case and I actually think it's a bad idea to show a useless form. It may also be a security issue, given that the form may contain information which is not meant to show to a visitor. If done in a secure way (eg only showing fields allowed to edit), it would mean that we have to show either an empty (no fields) or readonly form. Both would make no sense at all. So not showing the form and giving a message instead is the better way anyway.
It's not about being stubborn or not reading what you wrote. I just think the current behavior is the correct thing to do.

Hi, sorry I'm still going on about this, but the way it's done really makes no sense to me: Why is this check performed in this file? To me it's like this: If you have permissions to view the data, then allow showing the data in whatever form you want. If you want to provide a better user experience not displaying the form to an unauthorised user, call raiseError() in edit.php, where the programmers adapting the user experience to their customers can more easily change the behavior. This is done for the other privileges like allowing to publish the article is only displayed if you are authorized.

If you really want to prevent people without privileges to access forms, then forms should be added to the acl system, and restricted in a predictable manner.

Im thinking there is a reason there is no access-form - privilege in joomla, because accessing forms in general is not seen as this sort of rescource: accessing data or saving data is restricted. You are adding an access-check to a resource that is not restricted.

BTW: I came across the error when I was trying to call a frontend form from the backend, through a content plugin. It made sense to me to use the same form in the frontend and the backend, as I wanted the same functionality in both places.

regards Jonas


This comment was created with the J!Tracker Application at http://issues.joomla.org/.