Author and above can edit every article

[neologyc]

Hello,
today I found terrible mistake in Joomla 1.5.8.

In case you´re registered as an author or above and signed in at Joomla website (frontend), you can edit every article, including the articles wrote by another user, including administrator´s. By adding parameter '&layout=form' at the end of link, which points to the article.
example: http://localhost/test_joomla/index.php? ... ayout=form
There is a form for editing actual article, and in case you save edited article, it is online. So i think, its a problem.

I tried it now in new installation of J1.5.8.

Can you please help me to resolve this?

[dallen]

Joomla 1.6 is supposed to address the issue of being able to edit other users articles. A search on the Joomla main site should be able to give you more information, but this is something that we've been waiting a few years for(hasn't been a big issue for us). There is an extension that is supposed to add this you might want to check for, but I've never tried it and I'm not even sure it works with Joomla 1.5.

[doc_flake]

A search on the Joomla main site should be able to give you more information, but this is something that we've been waiting a few years for(hasn't been a big issue for us). There is an extension that is supposed to add this you might want to check for, but I've never tried it and I'm not even sure it works with Joomla 1.5.

I doubt not that this hasn't been an issue for many users. But our site relies on the fact that articles have to be proof-read by a publisher prior to release. So it's quite a big issue for us and I may not be able to wait some more few years (!) before it's fixed.
Dallen, do you have some more information concerning that extension by chance? I did a search but have not been lucky so far.

[RysiuM]

Actually using the article link in the browser any user can access any article (at least for reading) on his security level regardless if the fact article has been published or not. Just type in the link to any valid article and then you will get one of possible responses:

- If article security level is lower or equal user security level it will be displayed regardless of the article state (published or not)
- If article security level is higher then user's security level then either login screen will appear for guests) or message screen will appear that article does not exist (for logged in users).

I hope adding some code to components\com_content\views\article\view.html.php will plug this hole (function display )

[RysiuM]

I hope adding some code to components\com_content\views\article\view.html.php will plug this hole (function display )

I think I plugged this hole (view by typing article link and edit by adding &Layout=Form).

The logic is not so simple, and in my solution I changed authority of Author, so he can't edit only his unpublished articles and Editor can edit only unpublished articles (Published articles can be edited only by publisher). I have this logic because it fits better to publishing lifecycle.

OK here are changes, I made into components\com_content\views\article\view.html.php

Line number 48. Go straight to _displayForm without validation only for new articles.

Code: Select all

    //  Fix RMA:  Display form without checking for new articles only
    //	***Deleted line:
    //  if($this->getLayout() == 'form') {
    //	***Inserted line:
        if(($this->getLayout() == 'form') && ($article->id == 0)) {

Line 80 (after the change above): Do access checking for for Editing (layout=form), then separate checking for viewing. The following code replaces line:
if ($article->access <= $aid) {

Code: Select all

    // Fix RMA:  Elaborate authorieties for view and edit articles:
    //   User security access must be at least at article security acces
    //   and :
    //       Article must be published for view by anyone.  Only Publisher can edit published articles,
    //       or User must be Editor or more to view or edit unpublished articles,
    //       or Author can view and edit his own unpublished articles
    //	***Deleted line:
    //  	if ($article->access <= $aid) {
    //
    //  ***Inserted lins:
    //  Fix RMA:  Checking authority for Editing
     if($this->getLayout() == 'form') 
     {
        if ($article->access <= $aid && (($article->state == 1 && $access->canPublish )|| ($article->state == 0 && $access->canEdit) || ($article->state == 0 && $access->canEditOwn && $article->created_by == $user->get('id')) ))
        {
           $this->_displayForm($tpl);
           return;
        } else {
           JError::raiseWarning( 403, JText::_('ALERTNOTAUTH') );
           return;
        }
     }
    
    //  Fix RMA:  Checking authority for Viewing
    if ($article->access <= $aid && ($article->state == 1 || ($article->state == 0 && $access->canEdit) || ($article->state == 0 && $access->canEditOwn && $article->created_by == $user->get('id')) )) {
    //	***End of Inserted lines:

I'm sure this can be written better, but this works, and I wanted to share the logic I came with.

[doc_flake]

RysiuM, thank you for your input. I'll be happy to try out your solution but that'll take some time as I'm up to my ears involved with an other urgent project right now. I'll report my results here later on.

[RysiuM]

RysiuM, thank you for your input. I'll be happy to try out your solution but that'll take some time as I'm up to my ears involved with an other urgent project right now. I'll report my results here later on.

When you have time you may look at the "whole pack" of related fixes/hacks posted here in Administrator forum

[doc_flake]

RysiuM, your work is amazing. I applied your well documented hack to my test environment. So far it's running fine and solves all the issues with unauthorized acces I had. I'll give it a few more days before transferring it to our live site, just in case ... Thank you very much!!!

Dear developpers / bug-squad-members,
I would appreciate it, if RysiuM's work would find its way into the next patch!

[timcoweb]

I have used this hack...after I changed the coding, the right side of my main content area stopped working. My edit icon and the right side of my JCE editor's links stop resonding. Any ideas why this would happen?

[stefan4970]

Hello,

I have a similar issue: As soon as I assign a registered user to another noixACL group (multigroups) this user is able to edit every article on my page. So it is impossible for me to have users with viewing rights to certain content and writing rights to other content.

Did I miss something in the configurations or is this a bug?

Thanks!