Skip to content

Regression: Fix edit check in backend articles manager, always denying edit after soft deny #11511

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Aug 14, 2016
Merged

Regression: Fix edit check in backend articles manager, always denying edit after soft deny #11511

Changes from 1 commit
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
a707d60
Fix allow after soft deny in backend
ggppdk Aug 8, 2016
1ad1ce2
Improve edit check in frontend similar to backend
ggppdk Aug 8, 2016
df0bff1
Better comments for the code
ggppdk Aug 9, 2016
001e157
Force better usage of allowEdit
ggppdk Aug 10, 2016
0c7e0a8
Force better usage of allowEdit
ggppdk Aug 10, 2016
d5e378b
Restore behaviour on zero record id to return component edit permissions
ggppdk Aug 10, 2016
84d0dad
Restore behaviour on zero record id to return component edit permissions
ggppdk Aug 10, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions administrator/components/com_content/controllers/article.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,8 @@ protected function allowEdit($data = array(), $key = 'id')
$recordId = (int) isset($data[$key]) ? $data[$key] : 0;
$user = JFactory::getUser();

// For new record (id:0) return component permission
// Zero record (id:0) return component permission, e.g. show edit btn
Copy link
Contributor

@brianteeman brianteeman Aug 9, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That makes less sense than it did before. Now I domt have a clue what it means

Copy link
Contributor Author

@ggppdk ggppdk Aug 9, 2016
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was like this before,

why any code is calling allowEdit() on zero id ?
only purpose would be to get component edit

for me it is meaningless, and from what i see in the code ,
we can probably return false and break nothing,

I have checked this,

  • there is no code in Joomla that uses allowEdit() to decide creating new records, or to get component permissions (by passing zero record id)

so we can change it to false !

(maybe some 3rd party extends the class though and use it to get component edit, but i think it is very unlikely)

Copy link
Contributor Author

@ggppdk ggppdk Aug 10, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, with like this before

  • i mean current "frontend" controller
  • and backend controller in J3.6.0

// for creating new record, allowAdd() must be used instead (core.create)
if (!$recordId)
{
return parent::allowEdit($data, $key);
Expand All @@ -108,7 +109,7 @@ protected function allowEdit($data = array(), $key = 'id')
return false;
}

// Grant if current user is the owner of the record
// Grant if current user is owner of the record, note: zero id is guest
return $user->get('id') == $record->created_by;
}

Expand Down