Regression: Fix edit check in backend articles manager, always denying edit after soft deny #11511
Conversation
ggppdk
changed the title
|
I have tested this item ✅ successfully on This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/11511. |
|
i have experienced this issue on GsoC 2016 Multilingual project. test conditions
before patch Apply patch p.s |
joomla-cms-bot
changed the title
|
I have tested this item ✅ successfully on This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/11511. |
|
I have tested this item ✅ successfully on |
|
RTC. Thanks This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/11511. |
|
I have tested this item successfully. Thank's. |
| $user = JFactory::getUser(); | ||
|
|
||
| // For new record (id:0) return component permission | ||
| // Zero record (id:0) return component permission, e.g. show edit btn |
There was a problem hiding this comment.
That makes less sense than it did before. Now I domt have a clue what it means
There was a problem hiding this comment.
It was like this before,
why any code is calling allowEdit() on zero id ?
only purpose would be to get component edit
for me it is meaningless, and from what i see in the code ,
we can probably return false and break nothing,
I have checked this,
- there is no code in Joomla that uses allowEdit() to decide creating new records, or to get component permissions (by passing zero record id)
so we can change it to false !
(maybe some 3rd party extends the class though and use it to get component edit, but i think it is very unlikely)
There was a problem hiding this comment.
Sorry, with like this before
- i mean current "frontend" controller
- and backend controller in J3.6.0
|
Put off RTC so we get a retest after the last changes Thanks. This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/11511. |
|
yes i made 1 more change (besides comments),
I searched through all calls of the method, i did not find any usage that will need to return component permissions, in such a case, so better return false (aka deny), in case someone in the future writes code to misuse this |
|
Except this is wrong. You've introduced a hard deny rule instead of continued use of the ACL system in this scenario. So there needs to be a pretty freakin' strong validation against this change because right now that screams massive B/C break to me. |
|
|
||
| // If we get a deny at the component level, we cannot override here. | ||
| if (!parent::allowEdit($data, $key)) | ||
| // Zero record (id:0) return false, if caller wants component permissions just get them directly |
There was a problem hiding this comment.
So a method that is supposed to check the ACL now has a hardcoded deny rule in place when it should be using the ACL system? Am I the only one who sees an issue with this?
|
Can you find a place that is needed today ? example so calling allowEdit() on zero record id as an indirect way to get return parent controler permissions ? is weird usage i will revert, i made this change worrying of someone misusing it in the future |
|
I don't have a place off hand that will break with that hardcoded change but the point of it is that something that should be reading the ACL system should be doing that, not introducing an arbitrary rule based on some condition and not even implement it consistently. |
|
I restored the code it is same as before, when all testing was done but that deny would break nothing anyway, because it is not used anywhere anyway this is PR makes the allowEdit how it should have been in the first place |
|
I agree it shouldn't be getting used, but in the off case someone's code is screwed up somewhere it should still respect the ACL system or throw an Exception because at that point it's dealing with an invalid record anyway. |
|
The code is correct to be there but after 1 or 2 years someone may write code to misuse it
|
|
It needs to be a separate proposal if you're going to push for it. We all have a very bad habit of throwing unrelated items into pull requests because we're already making a change or want to enforce some arbitrary standard. That crap needs to stop. |
yes correct, it is unrelated to this PR, but you know how it is with finding people to test PRs etc |
|
Oh I know, I know. I've got cache PRs stalled out because someone asked for an arbitrary extra change, one of which actually adds support for a PHP 5.3 feature to our callback system. |
|
where do we stand here? |
|
Hello please click on each of the commit made August 10, 5 commits
this should be still be RTC
|
|
Back to RTC. Thanks This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/11511. |
|
I have tested this item ✅ successfully on 84d0dad This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/11511. |
* re-arrayhelper-min: (2467 commits) Minimize JArrayHelper methods `toInteger`, `pivot`, `arrayUnique` by using Joomla\Utilities\ArrayHelper internally. Leaving (reverting from joomla#7782) other four methods as is for b/c reasons as mentioned in joomla#8455. remove platform include (joomla#11615) [GitHub Templates] Make headings bigger (joomla#11607) [com_contact] Make ACL core.edit.own work (PR for 11466) (joomla#11503) Small review on docs & code structure in JModelLegacy library classes (joomla#11057) Obviously, this should be an array. (joomla#11610) Don't manually import JPlatform anymore (joomla#10841) Parse preprocess rules from component routers (joomla#8986) Add the correct exception after 11593 merge (was waiting for that merrge) (joomla#11606) Add missing clean line after joomla#9277 (joomla#11605) Deprecate the _PROFILER global var (joomla#10845) Spelling errors (joomla#11604) Moved travis javascript bash file to build/travis like joomla#11600 (joomla#11603) Regression: Fix edit check in backend articles manager, always denying edit after soft deny (joomla#11511) [com_plugins] User not allowed to core.manage? Use 403 php custom exception (instead of a 404 JError) (joomla#11593) [com_newsfeeds] Make ACL core.edit.own work (PR for 11466) (joomla#11502) $result-variable-undefined-given-default-value (joomla#9277) com_banners use exceptions. and not allowed is a 403 (joomla#11418) Frontend & plugins using the autoloader (joomla#10882) New version of PR 6788 (JText::_() Optimizations) (joomla#11235) ...
…g edit after soft deny (joomla#11511) * Fix allow after soft deny in backend * Improve edit check in frontend similar to backend * Better comments for the code * Force better usage of allowEdit * Force better usage of allowEdit * Restore behaviour on zero record id to return component edit permissions * Restore behaviour on zero record id to return component edit permissions
…g edit after soft deny (joomla#11511) * Fix allow after soft deny in backend * Improve edit check in frontend similar to backend * Better comments for the code * Force better usage of allowEdit * Force better usage of allowEdit * Restore behaviour on zero record id to return component edit permissions * Restore behaviour on zero record id to return component edit permissions
12 participants
Pull Request for Issue #11463 and #11510
Summary of Changes
Fixed edit check in backend not allowing edit via edit.own after soft deny
Same code used for frontend
Testing Instructions
(check is the same for frontend / backend)
at backend articles manager,
at frontend views that show the edit button
make sure that people that should be allowed to edit can do and others can not