[edit]found it: http://joomlacode.org/gf/project/joomla ... m_id=27819[/edit]
Articles are displayed even thou the user has no access to the category the article is assigned to.
Now before replying 'that is not a bug, it is a feature', please note that in other parts of the core this behaviour is different. For example in the search plugin 'content' the articles are checked both for article access and category access. Also in the article model the check is done for both.
This bug is in the 2.5 RC1 which 2.5 is suppose to release today!
But the same thing is in Joomla 1.7 and 1.6. So I am flabegasted no one has ever noticed this
HERE IS THE FIX:
file: components/com_content/models/articles.php
line: 246 (joomla 2.6) 244 (joomla 1.7 and joomla 1.6)
Code: Select all
$query->where('a.access IN ('.$groups.')');Code: Select all
$query->where('a.access IN ('.$groups.')');
$query->where('c.access IN ('.$groups.')');On a default install open the homepage. Note the article 'beginners' is shown. Then in the category-manager open category 'joomla' (which is the category the article is assigned to). Set category 'joomla' access level to 'registered'. Refresh the search page. The article is no longer in the search results. Then go to the frontpage, the article is still displayed there. So the content plugin is not displaying the restricted article, but the frontpage still is.
HERE IS HOW TO TEST COMPARE WITH THE ARTICLE MODEL:
On a default install open the homepage. Note the article 'beginners' is shown. Then in the category-manager open category 'joomla' (which is the category the article is assigned to). Set category 'joomla' access level to 'registered'. Refresh the frontpage. The article is still displayed. Then click to open the article and you get 'You are not authorised to view this resource.'
