Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#43217] - [5.0] functions allowAdd is looking for filter_category_id that does not exist anymore.

No Code Attached Yet
avatar peter1szalatnay
peter1szalatnay
5 Apr 2024

Steps to reproduce the issue

Noticed when filtering on category in the articles view and click add on a category were users should not have permission to create an article, they can still do it.

In Joomla 3 the hathor template had all the filter fields hard coded in the template files with filter_category_id, but Joomla 5 is using the filter_articles.xml and the filter name has changed from filter_category_id to category_id.

A quick search in the source for filter_category_id show Banners, Articles and Newsfeeds are affected by the same issue.

  1. Create a category and remove create permission from test user
  2. In Articles view filter on previously created category
  3. Create an Article

Expected result

User should not be able to create an article from a filtered category where they do not have create access.

Actual result

User can create an article in the articles view when category filter is enabled.

System information (as much as possible)

Joomla 5.0

Additional comments

There are more legacy filter code left in article model from hathor template. All the filters in the populateState is not required anymore as there is new code in ListModel to take care of it.

avatar peter1szalatnay peter1szalatnay - open - 5 Apr 2024
avatar joomla-cms-bot joomla-cms-bot - change - 5 Apr 2024
Labels Added: No Code Attached Yet
avatar joomla-cms-bot joomla-cms-bot - labeled - 5 Apr 2024
avatar brianteeman
brianteeman - comment - 5 Apr 2024

I am unable to replicate this. What am I missing?

I created a category (cat1)
I set the create permissions for manager to deny
I created a user (testing) with the level manager so that this user does not have create permission for the category (cat1)
I logged in as that user (testing)

I created a new article and the category select does not show cat1 so I cannot save in cat1

I display the list of articles and filter by the forbidden category (cat1)
I clcik new article and the article edit opens with the category preselected as cat1
I try to save the article - save not permitted

avatar peter1szalatnay
peter1szalatnay - comment - 5 Apr 2024

It should already fail when you try to add the article, and not allow the edit view.

joomla-cms/administrator/components/com_content/src/Controller/ArticleController.php

Line 143 in be506c0

return $this->app->getIdentity()->authorise('core.create', 'com_content.category.' . $categoryId);

Just remove legacy hathor way of doing things, and move to how it should work.

avatar brianteeman
brianteeman - comment - 5 Apr 2024

you stated that you can create an article in a category where you do not have permission to do so. I cannot replicate that. I'm not going to waste my time any further

avatar Flowman
Flowman - comment - 16 Apr 2024

@brianteeman always an pleasure to deal with you.

Looks like @Hackwar removed the legacy filter #43230

@Hackwar maybe you can add 2 line of code to fix this issue

$filters = $this->input->get('filter', [], 'array');
$categoryId = \array_key_exists('category_id', $filters) ? reset($filters['category_id']) : ArrayHelper::getValue($data, 'catid', null, 'int');

Or just remove the whole thing as the filters can be an array and how do we know for which one to take.

avatar brianteeman
brianteeman - comment - 16 Apr 2024

image

Looks like @Hackwar removed the legacy filter #43230

That is proposed for 5.2

Add a Comment

Login with GitHub to post a comment