[#8069] - Allowing 'Create' in a Category enables Create for other categories
- Closed
- 8 May 2016
- Urgent
- Build: master
- # 8069
Steps to reproduce the issue
Create A user group with registered as parent
Select that group in 'Special' view/access level
In Global config permissions Allow Administrator Login and leave everything else Inherited
In Content >>> Article/Category/Featured Article >>> Options ... set 'Access Administration Interface' to 'Allowed'
Create a new category and set the permissions in that category for the new user group Allowed for Create, Delete, Edit, Edit State and Edit Own
Create a new user and put the user in the new user group
Login Admin as the new user
Expected result
The new user should be able to Create, Delete, Edit, Edit State and Edit Own Articles in only the new category. They should not be able to Create more categories or Delete, Edit, Edit State and Edit Own for existing categories.
Actual result
The new user can create new categories because the Create button appears in the Category tab as well as the Article tab.
System information (as much as possible)
Additional comments
Spotted as a result of this thread http://forum.joomla.org/viewtopic.php?f=719&t=895579
Votes
My bad
Added "In Content >>> Article/Category/Featured Article >>> Options ... set 'Access Administration Interface' to 'Allowed'" to the instructions
In addition to the user being able to create Categories (which they should not be able to do)
The user can create Articles and set to the specific Category(which is expected behaviour) but is unable to delete any Article they create (which they should be able to do)
Before allowing Create, Delete, Edit, Edit State and Edit Own in a category
After adding Create, Delete, Edit, Edit State and Edit Own in a category
As you can see there is a Create button for Articles but not Trash can icon
But in Categories there is also a Create icon. Clicking it allows the creation of Categories with no parent. If Create should be allowed in the specific Category then the Trash can should also appear. But surely the Create, Delete, Edit, Edit State and Edit Own( in a category) should apply to only Articles for the Category.
If it does also Apply to the Category then it should only be able to save it within the hierarchy of the specific Category. And the user should be able to delete it
Thanks for the clear instructions.
After following your steps I noticed the following:
- The user can create categories on the "no parent" level but can't edit them after creating.(they should not able to create categories on that level)
- There is no trash icon visible, but the user is allowed to delete his own articles. Not sure if this is done by a usability reason
I made a PR for the problem that the user was able to create level 0 categories.
Can someone else look at the problem with the trash icon? I don't know exactly if this is a real problem, or done with a reason. Also not sure where or how I can fix that.
Thanks quick work ... PR # 8083 prevents the user creating Articles outside of the hierarchy of the Category they have Create Permissions for. Have tested and added Test to that patch.
This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/8069.
Thank you for creating this but it would appear that this has been resolved elsewhere in the code base. If this is not correct then this can be re-opened
This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/8069.
| Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2016-05-08 16:36:20 |
| Closed_By | ⇒ | brianteeman |
Thanks for reporting this possible issue!
If I follow your steps to reproduce the issue and login with the created user, I don't have the opportunity to access any component or create items. The back-end looks like this:
Did you forget to describe a few steps? Or are there other permission settings changed?