Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#47903] - Image editor button acl is not correct

No Code Attached Yet bug
avatar HLeithner
HLeithner
6 Jun 2026

What happened?

The button code expects a string from the event but integer is given which makes the acl check not working incorrect.

The onDisplay method expects a string and check if it's empty:

joomla-cms/plugins/editors-xtd/image/src/Extension/Image.php

Lines 76 to 88 in aeab632

public function onDisplay($name, $asset, $author)
{
$doc = $this->getApplication()->getDocument();
$user = $this->getApplication()->getIdentity();
$extension = $this->getApplication()->getInput()->get('option');
// For categories we check the extension (ex: component.section)
if ($extension === 'com_categories') {
$parts = explode('.', $this->getApplication()->getInput()->get('extension', 'com_content'));
$extension = $parts[0];
}
$asset = $asset !== '' ? $asset : $extension;

In the onEditorButtonsSetup method we provide $event->getAsset() to the onDisplay method which always returns an integer.

joomla-cms/plugins/editors-xtd/image/src/Extension/Image.php

Lines 58 to 59 in aeab632

$button = $this->onDisplay($event->getEditorId(), $event->getAsset(), $event->getAuthor());

Version

5.4

Expected result

the acl check should be able to handle integer correctly or the setup method should provide a string.

Actual result

handle integer correctly

System Information

No response

Additional Comments

No response

avatar HLeithner HLeithner - open - 6 Jun 2026
avatar HLeithner HLeithner - change - 6 Jun 2026
Labels Added: bug
avatar HLeithner HLeithner - labeled - 6 Jun 2026
avatar joomla-cms-bot joomla-cms-bot - change - 6 Jun 2026
Labels Added: No Code Attached Yet
avatar joomla-cms-bot joomla-cms-bot - labeled - 6 Jun 2026
avatar Fedik
Fedik - comment - 7 Jun 2026

This should be asset ID, I think it always integer

joomla-cms/libraries/src/Form/Field/EditorField.php

Line 212 in 7996a3f

$this->asset = $this->form->getValue($this->assetField) ?: (string) $this->element['asset_id'];

Asset ID of edited content.

I would try to change this line to check zero or empty:

joomla-cms/plugins/editors-xtd/image/src/Extension/Image.php

Line 88 in 6fe4e29

$asset = $asset !== '' ? $asset : $extension;

Something like:

$asset = $asset ? $asset : $extension;
avatar joomdonation
joomdonation - comment - 8 Jun 2026

We received Asset ID here, but $user->authorise('core.edit', $asset) method expect $asset is asset name, so the correct fix would be get asset name base on given ID and pass it to $user->authorise calls for checking permission

avatar joomdonation
joomdonation - comment - 8 Jun 2026

I wonder if the permission check for the button is needed at all. From quick look at the code, it seems the check means "show the button if the current user can add/edit item". However, that kind of check is already handled by our ACL system in controller. If user does not have permission to add/edit item, they cannot reach the form, editor won't be displayed, so the check seems useless to me. Not sure if I missed something here.

Add a Comment

Login with GitHub to post a comment