No Code Attached Yet
Referenced as Pull Request for: # 8083
avatar Webdongle
Webdongle
11 Oct 2015

Steps to reproduce the issue

Create A user group with registered as parent
Select that group in 'Special' view/access level
In Global config permissions Allow Administrator Login and leave everything else Inherited
In Content >>> Article/Category/Featured Article >>> Options ... set 'Access Administration Interface' to 'Allowed'
Create a new category and set the permissions in that category for the new user group Allowed for Create, Delete, Edit, Edit State and Edit Own
Create a new user and put the user in the new user group
Login Admin as the new user

Expected result

The new user should be able to Create, Delete, Edit, Edit State and Edit Own Articles in only the new category. They should not be able to Create more categories or Delete, Edit, Edit State and Edit Own for existing categories.

Actual result

The new user can create new categories because the Create button appears in the Category tab as well as the Article tab.

System information (as much as possible)

Additional comments

Spotted as a result of this thread http://forum.joomla.org/viewtopic.php?f=719&t=895579

Votes

# of Users Experiencing Issue
1/1
Average Importance Score
4.00

avatar Webdongle Webdongle - open - 11 Oct 2015
avatar n9iels
n9iels - comment - 12 Oct 2015

Thanks for reporting this possible issue!

If I follow your steps to reproduce the issue and login with the created user, I don't have the opportunity to access any component or create items. The back-end looks like this:
knipsel

Did you forget to describe a few steps? Or are there other permission settings changed?

avatar Webdongle
Webdongle - comment - 12 Oct 2015

My bad
Added "In Content >>> Article/Category/Featured Article >>> Options ... set 'Access Administration Interface' to 'Allowed'" to the instructions

In addition to the user being able to create Categories (which they should not be able to do)
The user can create Articles and set to the specific Category(which is expected behaviour) but is unable to delete any Article they create (which they should be able to do)

Before allowing Create, Delete, Edit, Edit State and Edit Own in a category
permissions 02
permissions 01

After adding Create, Delete, Edit, Edit State and Edit Own in a category
As you can see there is a Create button for Articles but not Trash can icon
permissions 03

But in Categories there is also a Create icon. Clicking it allows the creation of Categories with no parent. If Create should be allowed in the specific Category then the Trash can should also appear. But surely the Create, Delete, Edit, Edit State and Edit Own( in a category) should apply to only Articles for the Category.

If it does also Apply to the Category then it should only be able to save it within the hierarchy of the specific Category. And the user should be able to delete it
permissions 04

avatar n9iels
n9iels - comment - 13 Oct 2015

Thanks for the clear instructions.
After following your steps I noticed the following:

  • The user can create categories on the "no parent" level but can't edit them after creating.(they should not able to create categories on that level)
  • There is no trash icon visible, but the user is allowed to delete his own articles. Not sure if this is done by a usability reason
avatar n9iels
n9iels - comment - 13 Oct 2015

I made a PR for the problem that the user was able to create level 0 categories.

Can someone else look at the problem with the trash icon? I don't know exactly if this is a real problem, or done with a reason. Also not sure where or how I can fix that.

avatar Webdongle
Webdongle - comment - 13 Oct 2015

@n9iels

Thanks quick work ... PR # 8083 prevents the user creating Articles outside of the hierarchy of the Category they have Create Permissions for. Have tested and added Test to that patch.


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/8069.

avatar brianteeman
brianteeman - comment - 8 May 2016

Thank you for creating this but it would appear that this has been resolved elsewhere in the code base. If this is not correct then this can be re-opened


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/8069.

avatar brianteeman brianteeman - change - 8 May 2016
Status New Closed
Closed_Date 0000-00-00 00:00:00 2016-05-08 16:36:20
Closed_By brianteeman
avatar brianteeman brianteeman - close - 8 May 2016

Add a Comment

Login with GitHub to post a comment