3.6.3: Allow author to use xtd-editors #12353
Conversation
|
@infograf768 I still believe that the javascript should be on the layout file and not in the plugin. But that's another issue... |
|
@DGT41 |
|
@infograf768 I know, it just bothers me that although someone could (potentially) change the mark up on these views, they have to rewrite the plugins for some lines of js... |
|
Now is ok, but is different from the admin panel procedure. This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/12353. |
|
@AlexRed
|
|
Please see the video test: http://www.alexred.com/joomla/page-break01.gif |
|
@AlexRed |
|
I use today Nightly + patch |
|
I get exactly the same behaviour as @AlexRed with current staging |
|
I have tested this item 🔴 unsuccessfully on ffdfe68 This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/12353. |
|
@AlexRed can you try the following: insert $this->eName = JFactory::getApplication()->input->get('e_name', '', 'cmd');at line 11 on administrator/components/com_content/views/article/tmpl/pagebreak.php and report if that fixes the problem? |
|
@DGT41 no it doesnt fix it and the issue is in more than page break - it can also be seen with other exitor-xtd such as modules |
|
I confirm the issue on a clean installation WHEN using using TinyMCE. Please folks, test using Codemirror instead of tinyMCE. @DGT41 |
|
What would be the point of that. It needs to work with all the editors
|
|
The point is that we have an issue with TinyMCE, NOT with the xtd-editors buttons |
|
I do confirm: clean install, NO patch, SuperAdmin logged in frontend, using the pagebreak or modules button: we get the same issue you folks noted when using TinyMCE |
|
Thanks for wasting our time. When you have fixed this PR please let us know. No point at all testing if it works with a different editor |
|
Please test what I said: You should rather thank me for finding this out a few days before release... |
|
yes, I can confirm same problem without this patch as superadmin in frontend. This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/12353. |
|
I have tested this item ✅ successfully on ffdfe68 This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/12353. |
|
I have tested this item ✅ successfully on ffdfe68 This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/12353. |
|
RTC This should be merged together with #12372 |
| return; | ||
| } | ||
| } | ||
| elseif ($input->get('view') === 'articles' && $input->get('layout') === 'modal') |
There was a problem hiding this comment.
I think we still need the modal check here?
There was a problem hiding this comment.
i do not think so. we already did not need to check for image as it is done in the plugin.
now that we do check in the plugins for all xtds, these are imho useless.
if you insist on keeping some checks here, we would have to change this code and add all xtds here with the correct permissions, as is now done in the plugins themselves.
There was a problem hiding this comment.
@wilsonge
After thought: let's test again to see if we avoid # 33. Will try right now. If needed, I will add all the xtds necessary checks .
There was a problem hiding this comment.
Tested, looked fine.
|
Remove the RTC tag |
|
The ACL check on the component for displaying e.g. pagebreak is not proper (and for the XTD buttons) You can have create / edit / edit.own on a category and not have it at the component level, thus this check is broken for all sites that do not give to their usergroups, these permissions to the component, but instead give them to specific categories (or even specific articles), i had describe this here:
|
|
@ggppdk As a RC-3 has now been released, I suggest you propose a PR to implement it fully. |
|
Please revert this PR. This effectively removes any access checks against the articles view in the backend. Everybody can now access the articles view, even with a guest user. You added checks to prevent a link from being displayed, but not opening the actual resource. Simply open ?option=com_content&view=articles&layout=modal&tmpl=component&{formtoken}=1 on your site and you get a list of all articles that have public viewlevel. |
|
This not only gives you a complete list of the public articles (some of which maybe should not be found yet), it also gives you a complete list of your sites categories, viewlevels, authors and more. A nice truckload of information to further construct attacks against your site. |
|
@hannes Now, an author can indeed use the xtd when creating an article, which was not possible before. When using the same link when not logged in backend just displays the login page |
|
Now, as I said, we can re-add the checks in |
|
Sorry, github swallowed parts of my link. You need to replace {formtoken} with the token. You can get that token from for example the login or contact-form view. This is a serious security issue! |
|
@Hackwar |
|
Taking into account your comment here: I will now make a PR towards staging |
|
Re-adding that check is a good first step. From my perspective, we need to further check this and consider what we display to editors, etc. Should someone with frontend editing capabilities see all categories, viewlevels and articles in the modal? I'd say that we have to restrict all of this to only those elements that the user would have access to. |
|
As we can't right now do all necessary checks, this #12435 will let authors access to the xtds while preventing guest or registered users. |
10 participants
Pull Request for Issue # #10653 (comment) and #12338
Moving the access to the xtd-editors buttons to the plugins themselves.
Allow authors to use xtd-articles and pagebreak.
Main reason: displaying the list of articles to an author or to an Editor does not change the kind of articles displayed in the lists, therefore it is useless to prevent authors from using these lists.
Concerning issues with modals in frontend, this now makes sure all xtd-editors modals are only used by logged in users (Image was already taken care of).
To test:
Make sure you have a menu item to Submit Article in frontend, log as a Author, then submit article and use the buttons Articles, Pagebreak, Module.