Joomla! Issue Tracker | Joomla! CMS #44961 - Article - server side validation missing for update status. Access level issue.

No Code Attached Yet

TawareAditya
22 Feb 2025

Steps-

Create 2 articles with a Super admin login. Set 1 article with Super Admin access and the other with public or registered access.
Now log in with the Administrator user/role. Go to the article list page.
Open the inspector and replace the value of the article set for the Super Admin access level.
Click the status icon.
You can see the Super Admin access level article status get updated.

Should check the access level and server-side validation.

The same can reproduce using the Burp Suite application

# of Users Experiencing Issue

0/1

Average Importance Score

1.00

TawareAditya - open - 22 Feb 2025

TawareAditya - change - 22 Feb 2025

Labels

Removed: ?

joomla-cms-bot - change - 22 Feb 2025

Labels

Added: No Code Attached Yet

joomla-cms-bot - labeled - 22 Feb 2025

SniperSister - comment - 22 Feb 2025

Two things:

findings with a potential security-impact should always be reported to security@joomla.org, not in public tracker tickets
you are mixing access levels (which control view permissions) with ACL permissions. Permissions control what a user can do (create, update, delete etc), while access levels control what users see. It might seem counter-intuitive, but these two systems work independently from each other and therefore it's currently expected behavior that you can update the state of an entity that you can't see because the view levels mismatch.

So, I would suggest to close this issue.

chmst - change - 24 Feb 2025

chmst - close - 24 Feb 2025

chmst - comment - 24 Feb 2025

@TawareAditya thank you for your interest in Joomla.
As @SniperSister explains, this is a misunderstanding. So I close this and your other issues.

Joomla! Issue Tracker - CMS