Special access content shown to Authors...

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
User avatar
kroonweb
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Sun Jan 06, 2008 9:12 pm
Location: Rotterdam, Holland
Contact:

Special access content shown to Authors...

Post by kroonweb » Sat Feb 02, 2008 12:39 pm

I just noticed that content marked 'Special' access can be viewed by registered users with Author status
Is this a bug? I am forgetting something? Is the online manual completely wrong? http://help.joomla.org/content/view/1516/278/
Last edited by kroonweb on Thu Feb 07, 2008 8:21 pm, edited 1 time in total.

User avatar
infograf768
Joomla! Master
Joomla! Master
Posts: 19133
Joined: Fri Aug 12, 2005 3:47 pm
Location: **Translation Matters**

Re: Special access content shown to Authors !?!?

Post by infograf768 » Sat Feb 02, 2008 3:22 pm

Content Access Classification:

In Joomla! Content is classified by who can view/access it. There are three levels of Content Access Classification:

    * Public - open to all visitors to the web site.
    * Registered - restricted to all seven Registered User Groups of the web site.
    * Special - restricted to all User Groups except Guest and Registered.

NOTE: The Special Classification uses the individual Group's authority levels to determine precisely what Special Access is actually permitted.
Author is within the Special range.
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group

User avatar
kroonweb
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Sun Jan 06, 2008 9:12 pm
Location: Rotterdam, Holland
Contact:

Re: Special access content shown to Authors, yes indeed

Post by kroonweb » Mon Feb 04, 2008 2:08 pm

Got it now: Special access - restricted to all User Groups except Guest and Registered.
How can i edit the individual group authority levels for groups?
What does jos_core_acl_aro_groups do with fields lft en rgt?
How can i shrink the restriction to less groups?
More posts about this subject:
http://forum.joomla.org/index.php?topic=164774.0
http://forum.joomla.org/index.php/topic ... msg1174975
http://www.joomlahacks.com/smf/index.ph ... g7296.html

A solution would probably be to extend Joomla! with one of these:
http://extensions.joomla.org/index.php? ... &Itemid=35

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2737
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: Special access content shown to Authors !?!?

Post by PhilD » Wed Feb 06, 2008 5:57 am

Don't know if this will help or not, but I did this for a clubs website. I get 3 levels of access without editing abilities (like a second registered category) for author level.

This is a core file modification, but is easy to make.

In the file: includes/gacl.class.php. I made these changes under where it says actions at about line 178 or so The original line is remarked out with the new line above it:

In the line $this->_mos_add_acl( 'action', 'add', 'users', 'author', 'content', 'all' ); I removed the word author. There are two places in this section to do this. I copied and pasted the action section below from my gacl.class.php file with the mods made and commented. Use if you like, but note this is only the top sections of actions where the edits were made.

// actions
      //Modifications added to remove author level actions. Original line is marked out. 12-17-07
      // This prevents changes from being allowed by authors enabling you to use the author registration level
      // for club members.
      $this->_mos_add_acl( 'action', 'add', 'users', 'content', 'all' );
      //$this->_mos_add_acl( 'action', 'add', 'users', 'author', 'content', 'all' );
      $this->_mos_add_acl( 'action', 'add', 'users', 'editor', 'content', 'all' );
      $this->_mos_add_acl( 'action', 'add', 'users', 'publisher', 'content', 'all' );
      $this->_mos_add_acl( 'action', 'edit', 'users', 'content', 'own' );
      //$this->_mos_add_acl( 'action', 'edit', 'users', 'author', 'content', 'own' );
      $this->_mos_add_acl( 'action', 'edit', 'users', 'editor', 'content', 'all' );
      $this->_mos_add_acl( 'action', 'edit', 'users', 'publisher', 'content', 'all' );
      $this->_mos_add_acl( 'action', 'publish', 'users', 'publisher', 'content', 'all' );

                ~~~~~~ rest of section actions here ~~~~~~~~~~

Club members are set to "Author" level and Content set to "Special" is only viewable to them. 


The end result is club members are author permission level but they can't perform any "author" level actions.

Regular people can still register on the site, and also buy things from the store without accessing anything that is club members only. This solves the problem of giving "more private" permissions to club members without the ability to actually do any author level editing, having a login module visible, and still letting non club people register to purchase items from the store.

Guests and registered members will not see anything that only club members are supposed to see. Club members once logged in will have additional menu items, sections, etc.  available to them, that registered users don't .

The mods I made were based on the information I found here:
http://demo.joomlaworks.gr/content/view/23/32/

The link provides information on how to make other permission "adjustments" and is worth a read and was the inspiration for the above mod.
PhilD

User avatar
kroonweb
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Sun Jan 06, 2008 9:12 pm
Location: Rotterdam, Holland
Contact:

Re: gacl.class.php - user level authentications

Post by kroonweb » Thu Feb 07, 2008 8:19 pm

Thx PhilD, for the hint and the link, i tweaked gacl.class a bit but i really wanted something else.
1. make registered users default authors
2. make authors not part of the 'Special' content authorisation group but 'Registered' content group,
so some content can be hidden for 'Public' & 'Registered' but viewable for 'Special' (publishers, managers, administrators)

The first was solved by this hack in /components/com_registration/registration.php:
replace 'Registered' with 'Author'

Code: Select all

function saveRegistration() {
	global $database, $acl;
...
	$row->id 		= 0;
	$row->usertype 	= '';
	$row->gid 		= $acl->get_group_id( 'Author', 'ARO' );
...
The second hack i didn't find yet, but this can be solved by an extension.
If somebody knows a quick&dirty trick, let me know. Thx.
Last edited by kroonweb on Thu Feb 07, 2008 8:31 pm, edited 1 time in total.

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2737
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: Special access content shown to Authors...

Post by PhilD » Fri Feb 08, 2008 2:58 am

I must not follow completely, which can be normal  :D

I don't think you can take authors out of the special group. At least not without something like JACLPlus, which makes many modifications to core Joomla files.

If you want authors to only edit their own content you might play around with the "all" and "own" in the gacl.class.php section, but leave author in the lines and see what happens.

The change I gave essentially makes all author level users registered users as far as actions available to the various levels go. It takes away any author actions from authors so they only have registered user actions available. All other author level permissions are still in effect. I.E they are actually in the special group. That way you can hide articles, buttons etc. from registered and public users but have them show for anyone of author level.

Like I said I get 3 different levels of users to my site. Public, registered who are users who bought from the store or just registered on the site, and Club Members. Only club members have access to the private club areas. When a club member logs in, they will have additional menu items, articles, and other information available to them. Since I do not want club members to be able to add, change, or otherwise mess anything up, I restricted them in their actions using the above mod.   

Soap Box Time.
I would agree with many people on the forum that Joomla is VERY severely lacking in any real kind of permission levels. I would also agree that advanced permissions should be built in and not some convoluted component add on that must be redone every time a new version of Joomla comes out. Heck SMF (Simple Machine Forum) has a pretty good way of creating and setting permission levels, why can't Joomla have something similar. Pick and choose what users can, can not do. Need a special group? Make one based on another groups permissions and then adjust the new groups permissions as needed.
PhilD

peetree21
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 115
Joined: Sat Nov 26, 2005 1:16 am

Re: Special access content shown to Authors...

Post by peetree21 » Sun Nov 16, 2008 1:19 pm

yes it is a huge let down on joomla behalf that the ACL is so limited. I really dont think Authors should be in the Special group.

I have a website of 5000 members and want any member who wants to submit an article to be able to. The only problem with making everyone an author is then they have 'Special' access rights, so i cannot hide menu items and modules etc from all my members. So for years now i have had to make do with just keeping my members set to registered but ive now decided that i need my users to be able to submit articles.

Anyone know how they can submit articles as registered members or remove author from special acl group?

DraeZ
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Mon May 25, 2009 6:50 am

Re: Special access content shown to Authors...

Post by DraeZ » Tue Jun 02, 2009 4:01 am

Nice workaround PhilD I like the way you think.
I see your wheels were turning. This is exactly what will keep me going until 1.6 comes out.

Maybe you can give me a suggestion on my math site.

I want unregistered users to be able to access level 1.
Registered users to access level 1 and level 2.
Special(authors) to access level 1 2 and 3.

For a person to go from Registered to Author(special) They have to pay a subscription fee.

I would then have to manually check that they made the payment and change their group, i might get lazy/busy and not be able to update permission regularly.

I thought of making manual temporary accounts. So right as a person pays they get sent an (auto) email with a pre created username and password listed in it, maybe paypal IPN can do this, or outlook express with rules. Once i get around to changing their permission, i email them and tell them they can use their account again. Then i delete the temporary (special user) and make a new one and add it to the email.

How do i make this process the least stressful for me? S it is semi automatic and people can access level 1 2 and 3 right after they pay? I'm trying to stick to free methods for now. Give me your suggestions please. feel free to think outside the box.

My main goal is to give them automatic access to level 1 2 and 3 after the pay.

flatsilver
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 141
Joined: Wed Feb 11, 2009 3:38 am

Re: Special access content shown to Authors...

Post by flatsilver » Mon Jun 22, 2009 2:36 am

hi,
i am looking for something similar i believe.
i have a cb community.
i am trying to offer a free registered level of membership
and then a premium level for a member so they
can have access to special items and such.
can you offer any advice or help?
thanks

cw3le
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Fri Jan 08, 2010 12:53 am

Re: Special access content shown to Authors...

Post by cw3le » Sat Jan 23, 2010 4:03 pm

The file you've mentioned - gacl.class.php in the includes folder only contains the following line:

require_once( dirname(__FILE__) .'/../libraries/phpgacl/gacl.php' );

In that folder, phpgacl, there are two files - gacl.php and gacl-api.php.
Neither of them contains the code you're talking about, so how am I supposed to follow your instructions? What version of Joomla! you used back then?

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2737
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: Special access content shown to Authors...

Post by PhilD » Sat Jan 23, 2010 5:41 pm

To make author level a class of registered user so you can have registered site users (free level) and site users who have access to hidden content (premium level) that is not available to free level users, you can do the following core hack.

This is for version 1.0.xx of Joomla. The 1.5.xx version the file is located (and named different) and I will have to look it up.
In 1.0.xx version of Joomla open /includes/gcal.class.php and look for this section:

Code: Select all

// actions
		$this->_mos_add_acl( 'action', 'add', 'users', 'author', 'content', 'all' );
		$this->_mos_add_acl( 'action', 'add', 'users', 'editor', 'content', 'all' );
		$this->_mos_add_acl( 'action', 'add', 'users', 'publisher', 'content', 'all' );
		$this->_mos_add_acl( 'action', 'edit', 'users', 'author', 'content', 'own' );
		$this->_mos_add_acl( 'action', 'edit', 'users', 'editor', 'content', 'all' );
		$this->_mos_add_acl( 'action', 'edit', 'users', 'publisher', 'content', 'all' );
		$this->_mos_add_acl( 'action', 'publish', 'users', 'publisher', 'content', 'all' );
find the lines with author in it and remove author like so:

Code: Select all

// actions
		$this->_mos_add_acl( 'action', 'add', 'users', 'author', 'content', 'all' );
		$this->_mos_add_acl( 'action', 'add', 'users', 'editor', 'content', 'all' );
		$this->_mos_add_acl( 'action', 'add', 'users', 'publisher', 'content', 'all' );
		$this->_mos_add_acl( 'action', 'edit', 'users', 'author', 'content', 'own' );
		$this->_mos_add_acl( 'action', 'edit', 'users', 'editor', 'content', 'all' );
		$this->_mos_add_acl( 'action', 'edit', 'users', 'publisher', 'content', 'all' );
		$this->_mos_add_acl( 'action', 'publish', 'users', 'publisher', 'content', 'all' );
Save and upload it back. This will enable you to promote registered users (free) to author (premium) which is in the 'special' Joomla group but the authors won't have any more rights than registered users. Make the content etc. you want hidden visible to the 'special' Joomla group and then only those with author privileges can see the content. The authors level will not have normal author privileges, but more like normal registered users. I use this core hack to make a club member level with content visible only to club members.
PhilD

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2737
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: Special access content shown to Authors...

Post by PhilD » Sat Jan 23, 2010 5:52 pm

In Joomla 1.5.xx you can do the same by modifying the /libraries/joomla/user/authorization.php file

Look for the following section:

Code: Select all

// actions
		$this->addACL( 'com_content', 'add', 'users', 'author', 'content', 'all' );
		$this->addACL( 'com_content', 'add', 'users', 'editor', 'content', 'all' );
		$this->addACL( 'com_content', 'add', 'users', 'publisher', 'content', 'all' );
		$this->addACL( 'com_content', 'edit', 'users', 'author', 'content', 'own' );
		$this->addACL( 'com_content', 'edit', 'users', 'editor', 'content', 'all' );
		$this->addACL( 'com_content', 'edit', 'users', 'publisher', 'content', 'all' );
		$this->addACL( 'com_content', 'publish', 'users', 'publisher', 'content', 'all' );
Remark out the two lines that contain author like so:

Code: Select all

// actions
		//$this->addACL( 'com_content', 'add', 'users', 'author', 'content', 'all' );
		$this->addACL( 'com_content', 'add', 'users', 'editor', 'content', 'all' );
		$this->addACL( 'com_content', 'add', 'users', 'publisher', 'content', 'all' );
		//$this->addACL( 'com_content', 'edit', 'users', 'author', 'content', 'own' );
		$this->addACL( 'com_content', 'edit', 'users', 'editor', 'content', 'all' );
		$this->addACL( 'com_content', 'edit', 'users', 'publisher', 'content', 'all' );
		$this->addACL( 'com_content', 'publish', 'users', 'publisher', 'content', 'all' );
You can now use author level as a (premium) registered level so that content etc. marked as 'special' will be visible to them, but they have only registered user privileges like the 1.0.xx core hack in the post above provides.
PhilD

cw3le
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Fri Jan 08, 2010 12:53 am

Re: Special access content shown to Authors...

Post by cw3le » Sat Jan 23, 2010 11:53 pm

PhilD wrote:In Joomla 1.5.xx you can do the same by modifying the /libraries/joomla/user/authorization.php file
And that was what I've been looking for. Thanks! : )

ventus
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Wed Feb 24, 2010 1:16 pm

Re: Special access content shown to Authors...

Post by ventus » Wed Feb 24, 2010 1:20 pm

I tried this, but its not working for menus/modules.

How can you hide menus/modules doing a similar hack?

citydan
Joomla! Intern
Joomla! Intern
Posts: 98
Joined: Mon May 11, 2009 3:00 am
Contact:

Re: Special access content shown to Authors...

Post by citydan » Sat Feb 27, 2010 5:29 pm

I'm hoping for a way to set view permissions for modules (menus) as well. My hope is to have free open access to anonymous and registered users while having only certain menus and articles viewable by superadmin.
Landscape Architecture Resource
everything useful for landscape architects
http://landscapearchitectureresource.com
jobs | schools | materials | news | firms | lare

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2737
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: Special access content shown to Authors...

Post by PhilD » Sat Feb 27, 2010 10:40 pm

I'm hoping for a way to set view permissions for modules (menus) as well. My hope is to have free open access to anonymous and registered users while having only certain menus and articles viewable by superadmin.
That is done by what permission level you set for the menu button, article, module, etc.
There are 3 general levels Public, Registered, and Special
Each builds on permissions of the previous one. I.E. the Special level inherits all special and public permissions.

All persons assigned in user to levels of Author and above are in Special category
super-admin is in that Special category and if you don't assign any users higher than registered then they can not see what is assigned to special level.

If you need more control than that there are many extensions that will expand what you can assign to users and what level users are.
PhilD

jrajani
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Thu Sep 11, 2008 6:10 pm

Re: Special access content shown to Authors...

Post by jrajani » Tue Apr 27, 2010 4:43 pm

Is there a way in Joomla 1.5 to auto assign a "special" acccess level upon registration? I have a website where I need to assign 'special' level access to members who register using a link that contains an account number. The sticky point is trying to auto-set the access level to 'special'. Thanks for your help.

ifeanyiagu
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Fri May 07, 2010 8:52 am

Re: Special access content shown to Authors...

Post by ifeanyiagu » Tue May 11, 2010 9:42 am

@Phil
The hack that you said works for content. Does it also work for modules? I created a module and made it's access special but I noticed that after using your hack, authors cannot see the module when they login. Please what could be the problem

duckjunkie
Joomla! Intern
Joomla! Intern
Posts: 68
Joined: Tue Jun 29, 2010 3:30 am

Re: Special access content shown to Authors...

Post by duckjunkie » Sun Jul 04, 2010 6:08 am

@jrajani
If I understand your question correctly, do this (Joomla 1.5):
Log into back end
Global Configuration
User Settings
New User Registration Type
New to Joomla! but trying really hard to figure things out on my own! If I am asking here, I am likely frustrated, embarrassed or otherwise not happy. Please be easy on me and I will try to get back to it on my own without being a pest. ;)


Locked

Return to “Security - 1.0.x”