[#5605] - Guest access vanishes guest articles from the articlemanager for everyone except superusers
- Closed
- 7 May 2016
- Medium
- Build: master
- # 5605
Steps to reproduce the issue
Inside Admin select Usermanager - Options, set Guest User Group to Guest, save&close.
Select Content/Article Manager, select Categories, and create category test with access level Guest.
Select Articles and create a new article called test, with access level guest. Click on save: now you see it.
Click on save&close: now you don’t see it anymore, and forever it wil be absent from the article manager lists.
So: you made an article, and after save&close you will no more see it in the articlemanger.
On the frontend meanwhile: you will see the article when it is published. However: it will disappear when you login to try and edit it!
Expected result
Inside the article manager you can see all articles that you have edit and delete rights for.
So: you made an article and would like to edit or delete it: these rights you have.
Actual result
You have edited and delete access to an article but because the article disappears from view after logging in. which you need to do to gain access to the backend of the site, you can no more edit it or delete it.
The current guest setting is to radical: it is intended on the frontend of the site but it also governs inside the admin of the website.
There is a difference between the intended behavior of an article with guest access on the frontend versus the same article on the backend.
The guest account setting inside the Options inside the Usermanager are intended for the frontend only!.They however also rule the behavior inside the admin of the website. There this behavior is not intended.
Solution: to differentiate between those two 'states'.
System information (as much as possible)
Standard joomla site, 3.3.6.
Additional comments
This seems to me a bug. On the other hand it is completely logical.
When the backend will be more integrated inside the frontend, there are perhaps more situations where the backend-logic and the frontend logic clash.
For now the only solution is to use the superuser access: there is an overruling mechanism that is triggered by this access-level. This solution is not preferred in situations where editors are not to be given ’absolute control’ of the entire website.
Votes
| Title |
|
||||||
| Title |
|
||||||
| Labels |
Added:
?
|
||
| Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2016-05-07 17:02:28 |
| Closed_By | ⇒ | zero-24 |
joomla-cms-bot
- | Closed_Date | 2016-05-07 17:02:28 | ⇒ | 2016-05-07 17:02:29 |
| Closed_By | zero-24 | ⇒ | joomla-cms-bot |
Set to "closed" on behalf of @zero-24 by The JTracker Application at issues.joomla.org/joomla-cms/5605
Closed
@pe7er made a small mistake that you were referring to the admin - he assumed the front end.
But this code is working exactly as expected and you even stated it yourself
Inside the article manager you can see all articles that you have edit and delete rights for.
Only Super Users (who have access to everything) and users that you have given access to the "guest" group will see content set to guest
A flurry of delete activities, but no understanding of the issue I reported.
I was also not aware of standing policy that says bring your own code to prevent deletion of an issue that is reported by you.
I find the issue I reported a real issue, and I hope that your delete cascade was triggered by me not describing it well enough. I will try to do it better this time.
- It is a backend issue: Brian, you got that right;
- The code is not working exactly as expected in the backend; it does however work exactly as expected in the frontend;
- so: the issue is a backend issue;
- I searched the Joomla! forums for it and found several threads where people are flabberghasted by this issue, ask for solutions, do not get them and disappear out of the thread. Not one of these reported the issue to this Github depot: so yes I am the only one that reported the issue, but not only one that is bothered by it;
- the guest-group is a nice addition to Joomla. It is so nice that some people I build websites for with Joomla want to use it. They use it by writing a small article for all website visitors that are not logged in, and a more detailed one for logged in users (members of the association that runs the website). They are not professional Joomla users, they are volunteers that edit articles on their association website. So I tell them of the guest group, that the login page is for guests, and the logout page for loggend in users, and that these pages are never visible at the same time. And they use that for Joomla articles. Nice! However: When someone is not a super-user but has access to the backend of the website, has enough rights to add and publish articles, and tries to publish an article with guest acces, the article disappears in the backend for them. So, as Brian quoted me: "Inside the article manager you can see all articles that you have edit and delete rights for." Yup, untill you hit the save button and your article gets published for guest visitors only. Then it disappears completely from the backend for the peron that wrote and puvblished it. So, the code is not working as expected, very much not so.
- So this volunteer contacts me and ask me what they did wrong. The article is at the frontend, but not (anymore) at the backend. They want to edit it, but don't see how. It is an article that they wrote, they are the author. So: where is it now?
- So I check it out in the forums, tell them it is okay, it is a quirck of Joomla, they will repair it sometime, I reported it. For now stop using this, I will try and find a plugin for this, or something.
- So I write a long and detailed description of what happens for this Github depot, keep looking from time to time at Joomla forums, and elsewhere: till this evening when I get a cascade of emails telling me the issue is deleted.
So with all repect for your dedication, expertise and hard work Peter, joomla-cms-bot and Brian: please can this be re-opened?
Greetings,
Paul
Without a rewrite of the ACL & user group systems, the issue you've described (whether it's right or wrong) is the expected behavior. The Guest user group is just another user group in the eyes of Joomla; it doesn't come with any preferential treatment, it's just there as a "standard" option in Joomla installs to help quickly push things to be displayed to unauthenticated users only (none of the user groups in Joomla have any preferential treatment or system meaning beyond the single parameter in the User Manager's configuration defining your site's guest user group). Part of the ACL & user group systems filters items that you are not able to view based on what user groups you are in, so if you aren't in the Guest user group and not in a group with Super User permissions, logically you're meeting the conditions for having content not displayed to you.
The ACL & user group systems do not differentiate between the frontend and backend of Joomla except for a few explicit permission levels (namely the ability to log into the frontend or backend, logging in while the site's in offline mode, and the ability to access a component's admin interface). Otherwise all permissions are global and implementing permissions or conditions that take into account different applications might be a bit too complex to do without a major rewrite (because in theory you could then create an ACL schema which says that a group cannot edit content from the frontend at all and mandate they use the backend, or say they can use only the backend to edit items but only the frontend to create them).
The solution at this point in time, for better or worse, is to ensure your admin user groups are part of the Guest user group. This will mean that when authenticated they will see both content that is geared for only unauthenticated users and content for authenticated users, but without the overhauls mentioned above, this is the only solution that doesn't include putting your admins in a group with Super User permissions.
Thanks mbabker for explaining the existing situation.
Somehow I had the misapprehension that the guest user views 'disappear' whenever you are logged in, and that this is also the case in the backend of the site. Now I understand better: viewing rights for a group are for all members of the group, and off course you can be member of several groups at the same time. This clears up a lot. I can now also explain the situation to the editors that got 'suddenly lost articles' ans make it so this does not happen.
The psychological power of ACL is great: as I cannot see it, it does not exist. I fell for that I think: the guest option in the user settings made me assume more than is warranted.
As I am no coder I have no idea what amout of work is necessary to change the ACL technique. I understand it is a massive work and not on the table right now.
As I wrote in my previous comment I looked around for discussion on further development of the existing article-com. Like here. I hope that Joomla 4 will bring some developments on this.
Greetings,
Paul
Thank you for reporting this issue!
The Guest usergroup has been introduced to make it possible to show information to specific groups of visitors:
Public -> all visitors (logged in or not)
Guest -> all visitors that have not been logged in
any other group -> all visitors from that group (or from groups higher in the hierarchy).
As no one else has reported this behavior as an issue, and no-one has shown any interest in providing any code to improve this behavior, I am closing this issue at this time. If code is provided (a pull request) it can always be re-examined.