[#8216] - User with author rights gets 500 server error on displaying article versions modal
- Closed
- 3 Jun 2017
- Medium
- Build: master
- # 8216
Hi,
Just ran into the following issue on Joomla 3.4.5
I have a user account 'Ruud' who has 'author' rights. when logged in as Ruud I can create and edit (my own) articles. So far so good.
Now when in the article editor on the front-end when I am logged in as Ruud and press the versions button, the modal pop ups giving me a 500 server error. Investigating this error gives me the following call stack information:
Call stack
# Function Location
1 JApplicationCms->execute() /var/www/html/och_test/index.php:45
2 JApplicationSite->doExecute() /var/www/html/och_test/libraries/cms/application/cms.php:252
3 JApplicationSite->dispatch() /var/www/html/och_test/libraries/cms/application/site.php:230
4 JComponentHelper::renderComponent() /var/www/html/och_test/libraries/cms/application/site.php:191
5 JComponentHelper::executeComponent() /var/www/html/och_test/libraries/cms/component/helper.php:372
6 require_once() /var/www/html/och_test/libraries/cms/component/helper.php:392
7 require_once() /var/www/html/och_test/components/com_contenthistory/contenthistory.php:18
8 JControllerLegacy->execute() /var/www/html/och_test/administrator/components/com_contenthistory/contenthistory.php:19
9 JControllerLegacy->display() /var/www/html/och_test/libraries/legacy/controller/legacy.php:728
10 ContenthistoryViewHistory->display() /var/www/html/och_test/libraries/legacy/controller/legacy.php:690
11 JError::raiseError() /var/www/html/och_test/administrator/components/com_contenthistory/views/history/view.html.php:43
12 JError::raise() /var/www/html/och_test/libraries/legacy/error/error.php:254
As it turns out, I can reproduce this error on other Joomla websites (also with 3.4.5)
When I give Editor rights to user Ruud, the popup shows the correct versions information. Reverting the editor rights (so only author) for user Ruud, the error 500 is displayed again :(
I am not a developer but do have test environment(s) and have time to help out in any way :)
Hope this helps!
Hi, thanks. I didn't now these details :)
although expected, it is a functionality used by our bloggers very frequently (Now they call me to give them an overview of what I (site maintainer) changed to their blogs. With the versions they could see for them selves AND they could learn what to do different the next time :)
So my suggestion would be to implement :)
For a dev who is interested in fixing this. The ACL checks are here:
history view: https://github.com/joomla/joomla-cms/blob/staging/administrator/components/com_contenthistory/models/history.php#L71
compare view: https://github.com/joomla/joomla-cms/blob/staging/administrator/components/com_contenthistory/models/compare.php#L56
preview view: https://github.com/joomla/joomla-cms/blob/staging/administrator/components/com_contenthistory/models/preview.php#L50
zero-24
- | Status | New | ⇒ | Confirmed |
| Labels |
Added:
?
|
||
| Category | ⇒ | Administration |
After digg on this bug, I found that: There could not an bug.
In scenario of Ruud68, he forget to set permission for "Author" group to enable "core.edit" permission. Default, this group just have "core.create" permission for Article.
This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/8216.
Hi, thanks for looking into this
I have set acl group to author (default joomla group): in articles this group has both create and edit own rights.
from the documentation:
Author - This group allows a user to post content, usually via a link in the User Menu. They can submit new content, select options to show the item on the front page and select dates for publishing but they cannot directly publish any content. When content is submitted by an Author level user, they receive the message, “Thanks for your submission. Your submission will now be reviewed before being posted to the site.” They can edit only their own articles but only when that article has been published and is visible.
When I set edit group as well, they cannot only edit their own but also other peoples articles (and that is not what you want)
from the documentation:
Editor - This group allows a user to post and edit any (not just their own) content item from the Frontend. They can also edit content that has not been published. If your site uses the default installation’s menu option “News”, which is a Table List – Content Section type, Editors will see unpublished articles in the list that they can select for editing, where as an Author or Public (unregistered) user will not even see the unpublished items in the list. Still, Editor users cannot, publish or change the publishing status of any articles, even their own.
brianteeman
- | Category | Administration | ⇒ | ACL Administration |
Looking into
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/8216.
Cannot replicate on Joomla! 3.7.2
Please close @nibra
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/8216.
| Status | Confirmed | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2017-06-03 13:31:41 |
| Closed_By | ⇒ | franz-wohlkoenig |
| Closed_Date | 2017-06-03 13:31:41 | ⇒ | 2017-06-03 13:31:42 |
| Closed_By | franz-wohlkoenig | ⇒ | joomla-cms-bot |
closed as mentioned above.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/8216.
Set to "closed" on behalf of @franz-wohlkoenig by The JTracker Application at issues.joomla.org/joomla-cms/8216
There was a security issue in previous Joomla versions. With Joomla 3.4.5 there is now an ACL check for accessing the versioning component which requires edit permissions. so far that sounds like expected behaviour (given the background).
I guess we need to implement the
edit.owninto the ACL check, or we just hide the version button for anyone not having edit permissions.