Fix front end XTD menus and contacts buttons #12321
Conversation
dgrammatiko
changed the title
|
👍 |
|
I have tested this item ✅ successfully on f552092 This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/12321. |
| { | ||
| $this->input = JFactory::getApplication()->input; | ||
|
|
||
| // Article frontpage Editor contact proxying: |
There was a problem hiding this comment.
IMHO is a good practice to perform strict comparations where possible
components/com_menus/controller.php
Outdated
| /** | ||
| * Modules manager master display controller. | ||
| * | ||
| * @since 3.5 |
|
and also change modules to menus in the comments ;) |
| if ($app->isSite()) | ||
| { | ||
| JSession::checkToken('get') or die(JText::_('JINVALID_TOKEN')); | ||
| } |
There was a problem hiding this comment.
shouldn't this token check be at the begining of the file, like https://github.com/joomla/joomla-cms/blob/staging/administrator/components/com_content/views/articles/tmpl/modal.php#L14 ?
|
hmmm is also articles xtd button broken? Fixed |
|
I have tested this item ✅ successfully on Found an issue concerning modals in general in 3.7.0. Creating Issue. This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/12321. |
|
IMPORTANT! To use the xtd menu one has to be at least administrator.
And in frontend an sql error:
This issue is also related to the discussions: The reason why an Author (and above) can use the xtd contacts is that it has Create and Edit Own permissions. As for xtd modules, it has Create permissions and CAN use it in frontend BUT a Manager canNOT in back-end if no Access to Administration Interface... I guess we got deep here into quite a few permissions issue concerning these xtd. |
components/com_contact/router.php
Outdated
| */ | ||
| public function __construct($app = null, $menu = null) | ||
| { | ||
| if ($app->input->get('view') === 'contacts' && $app->input->get('layout') === 'modal') |
There was a problem hiding this comment.
Why are you doing this? This would disable the router for this whole page.
There was a problem hiding this comment.
I knew that this was not the right solution, that's why I ping you here!
components/com_content/router.php
Outdated
| */ | ||
| public function __construct($app = null, $menu = null) | ||
| { | ||
| if ($app->input->get('view') === 'articles' && $app->input->get('layout') === 'modal') |
There was a problem hiding this comment.
Same as above. This would break a lot of things.
|
What about using instead public function __construct($app = null, $menu = null)
{
$params = JComponentHelper::getParams('com_content');
$this->noIDs = (bool) $params->get('sef_ids');
$categories = new JComponentRouterViewconfiguration('categories');
$categories->setKey('id');
$this->registerView($categories);
$category = new JComponentRouterViewconfiguration('category');
$category->setKey('id')->setParent($categories, 'catid')->setNestable()->addLayout('blog');
$this->registerView($category);
$article = new JComponentRouterViewconfiguration('article');
$article->setKey('id')->setParent($category, 'catid');
$articles = new JComponentRouterViewconfiguration('articles'); // added
$this->registerView($article);
$this->registerView($articles); //added
$this->registerView(new JComponentRouterViewconfiguration('archive'));
$this->registerView(new JComponentRouterViewconfiguration('featured'));
$this->registerView(new JComponentRouterViewconfiguration('form'));Would that also break a lot of things? |
|
Same for contacts. |
|
@DGT41 <?php
/**
* @package Joomla.Administrator
* @subpackage com_modules
*
* @copyright Copyright (C) 2005 - 2016 Open Source Matters, Inc. All rights reserved.
* @license GNU General Public License version 2 or later; see LICENSE.txt
*/
defined('_JEXEC') or die;
JHtml::_('behavior.tabstate');
$user = JFactory::getUser();
$input = JFactory::getApplication()->input;
if (($input->get('layout') !== 'modal' && $input->get('view') !== 'modules')
&& !$user->authorise('core.manage', 'com_modules'))
{
throw new JAccessExceptionNotallowed(JText::_('JERROR_ALERTNOAUTHOR'), 403);
}
$controller = JControllerLegacy::getInstance('Modules');
$controller->execute($input->get('task'));
$controller->redirect();and it now works here. A similar patch works for menu too but I get the same sql error as in frontend (see above): <?php
/**
* @package Joomla.Administrator
* @subpackage com_menus
*
* @copyright Copyright (C) 2005 - 2016 Open Source Matters, Inc. All rights reserved.
* @license GNU General Public License version 2 or later; see LICENSE.txt
*/
defined('_JEXEC') or die;
$input = JFactory::getApplication()->input;
$user = JFactory::getUser();
if (($input->get('layout') !== 'modal' && $input->get('view') !== 'items')
&& !$user->authorise('core.manage', 'com_menus'))
{
throw new JAccessExceptionNotallowed(JText::_('JERROR_ALERTNOAUTHOR'), 403);
}
$controller = JControllerLegacy::getInstance('Menus');
$controller->execute($input->get('task'));
$controller->redirect();What do you think? |
|
@infograf768 can you create a pr with those changes? |
|
@DGT41 |
|
@infograf768 shouldn't we keep the if statement for performance? Now it's gonna execute the code in all views... @Hackwar can you confirm that @infograf768 solution is the appropriate here? |
|
FYI, when no assoc, similar sql error: |
|
@infograf768 changing line 353 from solves the sql problem for me... |
|
@infograf768 nope try the filters... |
|
When using the filters I indeed do get |
|
Evidently, I do not agree with if ($input->get('view') === 'contacts' && $input->get('layout') === 'modal')
{
if (!JFactory::getUser()->authorise('core.edit', 'com_contact'))
{
JFactory::getApplication()->enqueueMessage(JText::_('JERROR_ALERTNOAUTHOR'), 'warning');
return;
}
}as this limits the access to editors, does not let them edit.own and prevents authors to use the xtd contact. As I commented there, we can change in the xtd as well as in |
|
I also replied to your comment. Yes, this might limit this feature to just editors. But the solution to that problem is not to remove the check altogether, but to properly extend it. |
|
I just checked this again with an editor user and just my changes from #12420 and it works perfectly fine without the changes to the router. The changes to the router are neither necessary, nor are they right. Please don't merge those changes. |
I do not confirm this. We NEED the changes in the router of we get a |
The entire logic we use for these ACL checks where we're proxying a frontend request to the backend is fatally flawed as the permissions checks are at the component level of ACL. These ACL checks have to get smarter for correct processing (i.e. it needs to be possible to check at the category level). |
|
there was indeed a notice that needed to be fixed. This is done in #12434 That still means that the changes to the router are not correct. |
|
@mbabker |
|
@DGT41 and change if (!JFactory::getUser()->authorise('core.edit', 'com_contact'))to and we at last should be Ok... 😺 |
|
Also, we need an access check for menu. if ($app->input->get('view') === 'items' && $app->input->get('layout') === 'modal')
{
if (!JFactory::getUser()->authorise('core.create', 'com_menus'))
{
$app->enqueueMessage(JText::_('JERROR_ALERTNOAUTHOR'), 'warning');
return;
}
} |
|
Works for editors up. We need the staging part for the xtd editors and ROOT/components/com_content/content.php which have been lately updated. |
|
I have tested this item ✅ successfully on d09c3d8 This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/12321. |
|
I have tested this item ✅ successfully on d09c3d8 This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/12321. |
|
RTC This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/12321. |
* menus * cs * xtd-contacts * session check, correct version * articles * cs identation fix * Update modules.php solving issue for Manager enable to use xtd module in back-end * Update router.php Solving router issue and let xtd article work fine * Update router.php Solving contact router issue * Filters and menu sql fixes * unification * implode empty array * fixes * revert router, add lang, add/change ACL * Update router.php * Update router.php
13 participants
Pull Request for Issue #12309
Summary of Changes
Testing Instructions
Without patch you get an error
Apply this PR and retry, you should be able to select a menu and a contact respectively
EDIT: PLEASE TRY inserting an article as well!!!
Documentation Changes Required
None
@infograf768 check this one