Skip to content

Regression: Fix edit check in backend articles manager, always denying edit after soft deny #11511

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Aug 14, 2016
Merged

Regression: Fix edit check in backend articles manager, always denying edit after soft deny #11511

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
a707d60
Fix allow after soft deny in backend
ggppdk Aug 8, 2016
1ad1ce2
Improve edit check in frontend similar to backend
ggppdk Aug 8, 2016
df0bff1
Better comments for the code
ggppdk Aug 9, 2016
001e157
Force better usage of allowEdit
ggppdk Aug 10, 2016
0c7e0a8
Force better usage of allowEdit
ggppdk Aug 10, 2016
d5e378b
Restore behaviour on zero record id to return component edit permissions
ggppdk Aug 10, 2016
84d0dad
Restore behaviour on zero record id to return component edit permissions
ggppdk Aug 10, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 10 additions & 23 deletions administrator/components/com_content/controllers/article.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,45 +84,32 @@ protected function allowEdit($data = array(), $key = 'id')
{
$recordId = (int) isset($data[$key]) ? $data[$key] : 0;
$user = JFactory::getUser();
$userId = $user->get('id');

// If we get a deny at the component level, we cannot override here.
if (!parent::allowEdit($data, $key))
// Zero record (id:0) return false, if caller wants component permissions just get them directly
Copy link
Contributor

@mbabker mbabker Aug 10, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So a method that is supposed to check the ACL now has a hardcoded deny rule in place when it should be using the ACL system? Am I the only one who sees an issue with this?

if (!$recordId)
{
return false;
}

// Check general edit permission first.
// Check edit on the record asset (explicit or inherited)
if ($user->authorise('core.edit', 'com_content.article.' . $recordId))
{
return true;
}

// Fallback on edit.own.
// First test if the permission is available.
// Check edit own on the record asset (explicit or inherited)
if ($user->authorise('core.edit.own', 'com_content.article.' . $recordId))
{
// Now test the owner is the user.
$ownerId = (int) isset($data['created_by']) ? $data['created_by'] : 0;
// Existing record already has an owner, get it
$record = $this->getModel()->getItem($recordId);

if (empty($ownerId) && $recordId)
if (empty($record))
{
// Need to do a lookup from the model.
$record = $this->getModel()->getItem($recordId);

if (empty($record))
{
return false;
}

$ownerId = $record->created_by;
return false;
}

// If the owner matches 'me' then permission is granted.
if ($ownerId == $userId)
{
return true;
}
// Grant if current user is owner of the record, note: zero id is guest
return $user->get('id') == $record->created_by;
}

return false;
Expand Down
45 changes: 18 additions & 27 deletions components/com_content/controllers/article.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,45 +103,36 @@ protected function allowAdd($data = array())
protected function allowEdit($data = array(), $key = 'id')
{
$recordId = (int) isset($data[$key]) ? $data[$key] : 0;
$user = JFactory::getUser();
$userId = $user->get('id');
$asset = 'com_content.article.' . $recordId;
$user = JFactory::getUser();

// Check general edit permission first.
if ($user->authorise('core.edit', $asset))
// Zero record (id:0) return false, if caller wants component permissions just get them directly
Copy link
Contributor

@mbabker mbabker Aug 10, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same issue here. This logic is massively flawed. We should NOT be introducing hard deny rules in ANY method which should be reading from the ACL system. The previous behavior of reverting to the component permissions in the case of not having a record ID should be restored.

if (!$recordId)
{
return false;
}

// Check edit on the record asset (explicit or inherited)
if ($user->authorise('core.edit', 'com_content.article.' . $recordId))
{
return true;
}

// Fallback on edit.own.
// First test if the permission is available.
if ($user->authorise('core.edit.own', $asset))
// Check edit own on the record asset (explicit or inherited)
if ($user->authorise('core.edit.own', 'com_content.article.' . $recordId))
{
// Now test the owner is the user.
$ownerId = (int) isset($data['created_by']) ? $data['created_by'] : 0;
// Existing record already has an owner, get it
$record = $this->getModel()->getItem($recordId);

if (empty($ownerId) && $recordId)
if (empty($record))
{
// Need to do a lookup from the model.
$record = $this->getModel()->getItem($recordId);

if (empty($record))
{
return false;
}

$ownerId = $record->created_by;
return false;
}

// If the owner matches 'me' then do the test.
if ($ownerId == $userId)
{
return true;
}
// Grant if current user is owner of the record, note: zero id is guest
return $user->get('id') == $record->created_by;
}

// Since there is no asset tracking, revert to the component permissions.
return parent::allowEdit($data, $key);
return false;
}

/**
Expand Down