[com_fields] Reload task belongs to the component controller #16665
Conversation
|
I have tested this item 🔴 unsuccessfully on 64d9bb2
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/16665. |
|
Do the publishing dates also shift? |
|
I have tested this item ✅ successfully on 64d9bb2 This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/16665. |
|
We need to be careful of ACL here - this is going to expose public data if accessed directly from a URL |
|
Really, it uses the same code and checks as the save function. Which line do you think can be dangerous? |
Maybe I miss something but I don't see any ACL checks at all here. |
|
Why is the allowSave check needed, it doesn't save, it just reloads the page to an url like /cms/administrator/index.php?option=com_content&view=article&layout=edit&id=1. The checkedit id is done in the controller itself. I mean at the end it performs the same action as when you want to edit the article. If you paste that url directly into the browser and you didn't go trough the edit task, then it kicks you back to the list with a warning to not get directly to the edit page. I'v just tested it and it worked as expected. |
It does save the data into the session. It at least feels wrong to have a controller task without any ACL check. Which means anyone could run it. It may not be an issue by itself, but it may bite us back and there is no reason this task should be available unauthorised. Using allowSave or allowEdit (if that fits better due to not saving into db) is a save check we can and should do imho. I don't see a reason to not do it. As for checkEditId, you're right. I just remembered we check it but didn't remember where exactly 😄 |
|
Does this not allow accessing data from any JControllerForm instance (including in the frontend (e.g. com_contact)) without checking the published/acl levels for the item though? |
|
I don't se how, it only stores the jform data into the session. |
|
It is still a POST request receiving user data. It should therefore be properly validated and access controlled. Especially if that data stored into the session can be used in a follow on request (which HAS been used in security issues we have fixed in the last 2 years). |
|
The session is data that the user controls. That means the user has the data which they shouldn't have been allowed to access (for ACL reasons) - and even if it isn't displayed on the page. It's trivial to get the session data if you wanted it. |
|
Does that help d10e8fc? |
|
Imho, the ACL check is now fine. Looking at the redirects, why don't you just use |
|
Just to be sure. Probably not needed. |
|
If there is no specific reason to use |
|
True, done. |
|
RE ACL: I'm honestly unsure given what this function does whether it should be edit or read acl permissions we should be using. But this looks significantly better now :) |
|
It should check edit, as it belongs to the edit action. |
…d-form # Conflicts: # administrator/components/com_fields/helpers/fields.php
|
@laoneo |
|
|
| '/administrator/components/com_messages/layouts/toolbar', | ||
| '/administrator/components/com_messages/layouts', | ||
| // Joomla! __DEPLOY_VERSION__ | ||
| '/components/com_fields/controllers', |
There was a problem hiding this comment.
this targetting a folder. Should be the file.
'/components/com_fields/controllers/field.php',
There was a problem hiding this comment.
This folder has only one file, so better to remove it completely.
There was a problem hiding this comment.
There was a problem hiding this comment.
There was a problem hiding this comment.
As comment says, deleting only the folder may not work when ftp is used.
It is safer to at least delete the file.
If a new article is created and the title is not set and the category has changed, then the validated data is false, will not be set and the admin is loosing all its entered data. So we need to filter here only.
|
Good catch. Fixed it in the last commits. |
|
Works now. Remains the necessary changes in script.php |
|
Ok, done. |
|
I have tested this item ✅ successfully on fb925e7 This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/16665. |
1 similar comment
|
I have tested this item ✅ successfully on fb925e7 This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/16665. |
|
RTC after two successful tests. |
|
Thanks guys! |
7 participants
Pull Request for Issue #15995.
Summary of Changes
When a category changes for an article the page got reloaded to determine the custom fields. Actually this action got delegated to the com_fields controller. On that point the data is unvalidated stored in the session. This can lead to time shifts when the Joomla timezone is not UTC, more information can be found in issue #15995.
This pr reloads the page trough the component controller and not the com_fields one.
Testing Instructions
Expected result
The time in the custom field remains.
Actual result
The time in the custom field shifts the same hours as the Joomla timezone has.