[#42694] - [4.4] Align the access checks for the unpublished articles in frontend category
- Fixed in Code Base
- 12 Sep 2024
- Medium
- Build: 4.4-dev
- # 42694
- Diff
- ManuelHu:fix-42452
- Pending continuous-integration/drone/pr Build is pending Details
User tests: Successful: Unsuccessful:
This aligns the access checks for the published state and the publish_up/down checks to both use the given filter.published.
Pull Request for Issue #42452.
Summary of Changes
The main CategoryModel model has the right access checks in
joomla-cms/components/com_content/src/Model/CategoryModel.php
Lines 154 to 159 in 302ce23
Here, the access to the single category in question is checked the right way (i.e. by including the category id in the asset name).
But the category model does not filter the articles itself. For this, it calls into ArticlesModel:
joomla-cms/components/com_content/src/Model/CategoryModel.php
Lines 233 to 238 in 302ce23
and passes on the filter.published state.
But in ArticlesModel::getItems(), the access check is repeated with a generic asset tag (i.e. com_content w/o any category information), but only for the publish_up/down case. In the simple published case, no additional access check is performed, and just the value of filter.published is used.
joomla-cms/components/com_content/src/Model/ArticlesModel.php
Lines 492 to 496 in 302ce23
This patch essentially aligns the access checks for the published state and the publish_up/down checks to both use the given filter.published.
Testing Instructions
- Create a content category
- create articles in it
- at least one with published state
- one with published state and with publish_up in the future
- and one set to be hidden
- Create a user group and grant access to edit and edit-state for this category only
- create a category list menu item in the frontend menu
- log into the frontend with a user that is part of the group created in step 3
Actual result BEFORE applying this Pull Request
- the user can only see two of the articles: the published one, and the hidden one.
- The article with publish_up in the future is not visible
Expected result AFTER applying this Pull Request
- the logged-in user can see all three articles
- Note that this only changes the content of the list. The user always had the permission to view and edit the article (i.e. by "guessing" its URL), it was just not listed.
Link to documentations
Please select:
-
Documentation link for docs.joomla.org:
-
No documentation changes for docs.joomla.org needed
-
Pull Request link for manual.joomla.org:
-
No documentation changes for manual.joomla.org needed
Votes
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Front End com_content |
| Labels |
Added:
PR-4.4-dev
|
||
HLeithner
- | Title |
|
||||||
I have tested this item ✅ successfully on 3ed3af0
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/42694.
| Status | Pending | ⇒ | Ready to Commit |
RTC
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/42694.
| Labels |
Added:
RTC
|
||
| Status | Ready to Commit | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2024-09-12 08:00:15 |
| Closed_By | ⇒ | laoneo |
Thanks!
I have tested this item ✅ successfully on 3ed3af0
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/42694.