Custom component addACL and authorize like com_content

billengle · **Joined:** Thu Apr 30, 2009 6:21 pm **Posts:** 78

I must be missing something here. I know 1.6 will solve this but I need to implement this little security check now.

Below code works as expected, any authors can perform edit task in com_mycomponent.

Code:

// Setup permissions
$acl   = & JFactory::getACL();
$acl->addACL( 'com_mycomponent', 'edit', 'users', 'author');

// Authorize user
$user =& JFactory::getUser();
$access = new stdClass();
$access->canEditOwn = $user->authorize('com_mycomponent', 'edit');

The below code does not work as expected. All authors are still allowed to perform edit task in com_mycomponent instead of the specific user.

Code:

// Setup permissions
$acl   = & JFactory::getACL();
$acl->addACL( 'com_mycomponent', 'edit', 'users', 'author','mycomponent','own' );

// Authorize user
$user =& JFactory::getUser();
$access = new stdClass();
$access->canEditOwn = $user->authorize('com_mycomponent', 'edit', 'mycomponent', 'own');

I have scoured a good deal of core files but still cannot see how this works for com_content but not mycomponent. I know the created_by field exists for com_content but I don't see where this check is performed when authorizing a user. My component currently does not have a way of identifying who created it so how is this implemented?

Thanks.

billengle · **Joined:** Thu Apr 30, 2009 6:21 pm **Posts:** 78

If it helps mycomponent follows the same security model as com_content. Basically if someone authors an article (com_content) then they have edit access to the related mycomponent piece.

I have tried

Code:

$acl->addACL( 'com_mycomponent', 'edit', 'users', 'author','content','own' );

thinking it would use the same logic but no.

Anyone?

ooffick · **Posted:** Tue Nov 10, 2009 1:13 pm

Would you not use something like this, if it is about the articles:

Code:

$access->canEditOwn = $user->authorize('com_content', 'edit', 'content', 'own');

Olaf

billengle · **Joined:** Thu Apr 30, 2009 6:21 pm **Posts:** 78

ooffick wrote:

Would you not use something like this, if it is about the articles:

Code:

$access->canEditOwn = $user->authorize('com_content', 'edit', 'content', 'own');

Olaf

Thanks for the response.

I tried that but the problem is the component I am accessing is not com_content it is com_mycomponent. This custom component is linked back to an article and has the same security structure; however, the data presented by com_mycomponent must be separate from com_content.

Any thoughts as to where the last two parameters are checked? I dug all the way down to acl_check() function in JAuthorization class but I do not see how it is checking "own".

Thanks for your help.

billengle · **Joined:** Thu Apr 30, 2009 6:21 pm **Posts:** 78

Still not sure what com_content is doing to enforce this.

Instead I came up with a workaround which will do for now.

Code:

$user =& JFactory::getUser();
$db =& JFactory::getDBO();
$sql = ' SELECT * '.
   ' FROM #__content'.
   ' WHERE id = ' . JRequest::getVar('id') .
   ' AND created_by = ' . $user->id;
$db->setQuery($sql);
$is_author = $db->loadObject();
      
if (isset($is_author)) { 
   return true; 
} else { 
   return false; 
}

nailson_imgn · **Posted:** Wed Nov 11, 2009 2:20 pm

Just fix that sql to prevent damage to your tables.
You're not even filtering the article id. Replace JRequest::getVar('id') with JRequest::getInt( 'id' )

billengle · **Joined:** Thu Apr 30, 2009 6:21 pm **Posts:** 78

Doh. Nice catch.

nailson_imgn wrote:

Just fix that sql to prevent damage to your tables.
You're not even filtering the article id. Replace JRequest::getVar('id') with JRequest::getInt( 'id' )

Joomla! Discussion Forums

Custom component addACL and authorize like com_content

Quick reply

Who is online