? Success

User tests: Successful: Unsuccessful:

avatar Bakual
Bakual
4 Nov 2014

Issue

As written in #4982, the quickicon notification for the Joomla Update component doesn't show for administrators.
The reason is that the plugin checks if the user is authorised to access the extension manager, but it should check if the user is authorised to access the Joomla Update component.

Solution

This PR changes the ACL check so it checks the proper permissions.

avatar Bakual Bakual - open - 4 Nov 2014
avatar jissues-bot jissues-bot - change - 4 Nov 2014
Labels Added: ?
avatar infograf768
infograf768 - comment - 4 Nov 2014

Although I think this PR is sensible, it does not solve the issue as described by the user in #4982

If I understand well, he said that the message should display, even if the administrator is not authorised to do the update

avatar infograf768
infograf768 - comment - 4 Nov 2014

Instead, maybe we could make the link $url a conditional?

avatar Bakual
Bakual - comment - 4 Nov 2014

I see what you mean. However I don't think I agree with showing the info there if the user can't solve it himself.
Especially for the extensions it could basically show every other day if you have certain extensions installed.
Afaik there are already extensions which you can install if you need a notification for the superuser. I don't think showing a notification to a less privileged user which then has to call the superuser is going to be a good idea.

The use case written in the issue was

With the latest version of Joomla (v3.3.6) I was taking a client to task for not updating her site with the latest security updates when it was brought to my attention that she could not see any indication that there were any updates available

This is exactly the bug I solve here. That client would have been able to update the core, but just didn't see a notification.

Who can update the core and extension, is depending on the ACL settings of those extensions and can be adjusted as needed.

avatar westiefan
westiefan - comment - 4 Nov 2014

@infograf768 Thank you. That is correct, but as all of my clients only have Administrator level access, I would like them to be able to do the updates themselves. We do not give our clients full super user access as many would not know what they are doing and could completely destroy their sites, but at the same time we need them to be responsible for doing the updates to the core Joomla and to the installed components, but we do not want to give them full super user access.

@Bakual Why not? As I said in my original post, they are adminitrator users so why can they not administrate the site?? It does not make sense for them to be an admin user if they cannot do admin tasks.

You mention that it does not make sense to see the notice if the user can't "solve it himself". I would like for my users to "solve it themselves", but if they cannot, then I want them to be able to see the update notices as they are the site "administrators". I am at a loss to understand why you think that an administrator should not be able to carry out basic administration tasks.

If I did not want my users to be able to update the core or any previously installed components etc, then I would have given them "manager" level access.

From my days as a system administrator, the super user access levels should always be used sparingly, and the admin user should be able to carry out all but the most sensitive tasks, otherwise what is the point in calleng them an adminstrator if they cannot do the site administration.

I hope you understand the point I am trying to make here.

For your information, with the exception of changing the admin permissions so that my clients can do the regular backups with Akeeba backup (though why they are restricted from doing this in the first place I do not know as it is a basic admin task!!), we only use the default administrator permissions as set by default, so please can you tell me what permissions I would need to change so that all of my admin users can not only see the update notices, but also carry out the updates.

Obviously we would prefer them to take out a support contract with us so that we can do the updates for them, but in order for us to persuade them that they need the support, we need them to at least see the regular update notices even if they cannot do it themselves, and to me (I disagree with you on this point) it makes perfect sense for them to see the notices regardless of whether or not they can carry out the update, as at least they are made aware that an update is required, as otherwise they never know unless we tell them, and for that to happen would mean that we have to constantly monitor their site for them, and this is not acceptable unless they have a support contract with us.

avatar brianteeman
brianteeman - comment - 4 Nov 2014

"From my days as a system administrator, the super user access levels
should always be used sparingly, and the admin user should be able to carry
out all but the most sensitive tasks, otherwise what is the point in
calling them an adminstrator if they cannot do the site administration."

Surely updating the site is THE most sensitive task

On 4 November 2014 10:00, westiefan notifications@github.com wrote:

@infograf768 https://github.com/infograf768 Thank you. That is correct,
but as all of my clients only have Administrator level access, I would like
them to be able to do the updates themselves. We do not give our clients
full super user access as many would not know what they are doing and could
completely destroy their sites, but at the same time we need them to be
responsible for doing the updates to the core Joomla and to the installed
components, but we do not want to give them full super user access.

@Bakual https://github.com/Bakual Why not? As I said in my original
post, they are adminitrator users so why can they not administrate the
site?? It does not make sense for them to be an admin user if they cannot
do admin tasks.

You mention that it does not make sense to see the notice if the user
can't "solve it himself". I would like for my users to "solve it
themselves", but if they cannot, then I want them to be able to see the
update notices as they are the site "administrators". I am at a loss to
understand why you think that an administrator should not be able to carry
out basic administration tasks.

If I dd not want my users to be able to update the core or any previously
installed components etc, then I would have given them "manager" level
access.

From my days as a system administrator, the super user access levels
should always be used sparingly, and the admin user should be able to carry
out all but the most sensitive tasks, otherwise what is the point in
calleng them an adminstrator if they cannot do the site administration.

I hope you understand the point I am trying to make here.

For your information, with the exception of changing the admin permissions
so that my clients can do the regular backups with Akeeba backup (though
why they are restricted from doing this in the first place I do not know as
it is a basic admin task!!), we only use the default administrator
permissions as set by default, so please can you tell me what permissions I
would need to change so that all of my admin users can not only see the
update notices, but also carry out the updates.

Obviously we would prefer them to take out a support contract with us so
that we can do the updates for them, but in order for us to persuade them
that they need the support, we need them to at least see the regular update
notices even if they cannot do it themselves, and to me (I disagree with
you on this point) it makes perfect sense for them to see the notices
regardless of whether or not they can carry out the update, as at least
they are made aware that an update is required, as otherwise they never
know unless we tell them, and for that to happen would mean that we have to
constantly monitor their site for them, and this is not acceptable unless
they have a support contract with us.


Reply to this email directly or view it on GitHub
#4983 (comment).

Brian Teeman
Co-founder Joomla! and OpenSourceMatters Inc.
http://brian.teeman.net/

avatar westiefan
westiefan - comment - 4 Nov 2014

@brianteeman yes it is, and you are right, but some client opt to look after their own sites, and their is little point in them being an administrator unless they can do administration tasks such as updating their own sites.

When I used to be a sys admin, there was only ever 1 super user, and we had a number of administrators that monitored and updated the sites, and in linux terms you only ever used the super admin access in order to be able to override certain aspects of the administration if it could not be done any other way. For all other admin tasks an administrator user should be able to do most tasks. Look to unix/linux for your guide on user level access here, that is all I am saying, as this makes much more sense to me.

Though I may be wrong, I seem to recall that administrator users were able to see the notices and update the sites themselves in Joomla 2.5, though it could be that we amended a setting somewhere to allow them to do this (sorry if the memory has faded over time!!).

avatar westiefan
westiefan - comment - 4 Nov 2014

@brianteeman Just a further point to reinforce what I am saying here, in the Joomla documentation there is an inference that an administrator can actually carry out admin tasks including installing components and modules etc, and it clearly states that the "What they cannot do however is change, edit or install Site Templates or make any changes to the sites Global configuration options." To me this means that they should be able to carry out the tasks that I have outlined, as neither of these changes should be affected by a pure update to the core.

Go to http://docs.joomla.org/User_Group_Access_levels_explained_in_simple_terms to read the full description, but here is the definition for an administrator in full, and as far as I can see there is absolutely no reason why an administrator user should be locked out from seeing the update notices or from actually being able to apply security updates according to my understanding of the Joomla stated role of an administrator.

Here is the extract in full:

"Administrator - This group allows access to most administration functions. An Administrator user has all the privileges on the back end of a Manager, but they also have access to set options on, and install/delete components, modules and bots, User Manager access and can view the site statistics. What they cannot do however is change, edit or install Site Templates or make any changes to the sites Global configuration options. On login through the Frontend, they are treated as Publishers, just like the Manger users. Interesting to note; when an Administrator accesses the User Manager list, they will see all users at their access level or below; in other words they can modify any user EXCEPT a Super Administrator – in fact, they will not even see Super Administrator accounts in the list! Also, they cannot create additional Super Administrator level accounts, only a Super Admin can do that."

avatar Bakual
Bakual - comment - 4 Nov 2014

@westiefan I think you misunderstood something
By default, an "Administrator" can access the "Joomla Update" component and thus update the Joomla core. He can't access the "Extension Manager" and thus can't update the extensions.

There is currently a bug in that the notification for the Joomla core update doesn't show even though the user could update it. This is what this PR would fix.

If you need your administrator user to also update the extensions, you need to give him permissions to access the extension manager. You can do that in the extension manager options just fine. And once he is able to access the extension manager, the notifications for extensions will also show up.

The only thing I disagreed on is that users without access to the Joomla Update / Extension Manager should see notifications for those managers. That doesn't make much sense to me since they will not be able to run the update anyway.

avatar westiefan
westiefan - comment - 4 Nov 2014

Just a quick update before I get hammered for my error, I have just noticed that the reference I used in my earlier post was the definitions from Joomla 1.5. However, at the risk of being shot down and given that there are no similar useful definitions for J2.5 or J3.x, and that technically there should not have been any significant changes to the definitions themselves (only in the way that they are achieved!!), I think that the definition is still valid.

avatar westiefan
westiefan - comment - 4 Nov 2014

@Bakual ok, apologies, I misunderstood your point, and from what you say here the PR should fix the issue I was highlighting.

Thank you for the info ref the extension manager, I will update my users accordingly where applicable.

Ref your point about users not seeing notices if they cannot actually do the update, I think that we will need to agree to disagree on this point, as to me it makes perfect sense for my clients, as they are not "techies" and have little understanding of the inner workings, but are quite capable of picking up the phone to call me when something needs updating, but they cannot do that if they are not aware that an update is needed. That is the point I am making, and yes, to a degree I admit that I want this so that I can use it as a marketing tool to persuade my clients that taking out a support contract with me is a good idea if they want to keep their sites updated with the latest security updates etc.

John

avatar infograf768
infograf768 - comment - 4 Nov 2014

@Bakual
If the Notice should not display when a user is not authorised to accomplish the task, then your PR is fine for me.

avatar Bakual
Bakual - comment - 4 Nov 2014

We could probably add an option to the plugins to always show the notifications, but turned off by default. And only show the links if the user is authorised to access them. Like JM suggested.

That should be easy to do.

avatar westiefan
westiefan - comment - 4 Nov 2014

@Bakual That would be a good compromise that I could certainly work with, as although I would like my users to be able to do their own updates as an administrator, I would be happy if I can set it so that they can see that an update is available, and then we can decide whether or not to give them the access that they need to do the update themself, or to sign them up for a support contract, depending on their individual skill levels.

avatar Bakual
Bakual - comment - 4 Nov 2014

I had a look and it looks like I promised to much. And actually found that this PR doesn't work as well.

The thing is that the notification plugin does an AJAX request to the extension manager to see if there are any updates. And this will only work if you have access to that manager.
So the current check is actually correct and there is no simple and secure way to change that.

So if you want to see the notifications, you need to give access to the extension manager (com_installer).

Closing this PR as it doesn't solve anything.

avatar Bakual Bakual - close - 4 Nov 2014
avatar Bakual Bakual - close - 4 Nov 2014
avatar Bakual Bakual - change - 4 Nov 2014
Status Pending Closed
Closed_Date 0000-00-00 00:00:00 2014-11-04 11:55:27
avatar Bakual Bakual - head_ref_deleted - 4 Nov 2014

Add a Comment

Login with GitHub to post a comment