Author and above can edit every article
Moderators: General Support Moderators, General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
-
- Joomla! Apprentice
- Posts: 8
- Joined: Sun Aug 17, 2008 10:33 am
Author and above can edit every article
Hello,
today I found terrible mistake in Joomla 1.5.8.
In case you´re registered as an author or above and signed in at Joomla website (frontend), you can edit every article, including the articles wrote by another user, including administrator´s. By adding parameter '&layout=form' at the end of link, which points to the article.
example: http://localhost/test_joomla/index.php? ... ayout=form
There is a form for editing actual article, and in case you save edited article, it is online. So i think, its a problem.
I tried it now in new installation of J1.5.8.
Can you please help me to resolve this?
today I found terrible mistake in Joomla 1.5.8.
In case you´re registered as an author or above and signed in at Joomla website (frontend), you can edit every article, including the articles wrote by another user, including administrator´s. By adding parameter '&layout=form' at the end of link, which points to the article.
example: http://localhost/test_joomla/index.php? ... ayout=form
There is a form for editing actual article, and in case you save edited article, it is online. So i think, its a problem.
I tried it now in new installation of J1.5.8.
Can you please help me to resolve this?
You do not have the required permissions to view the files attached to this post.
-
- Joomla! Enthusiast
- Posts: 135
- Joined: Fri Oct 12, 2007 12:52 am
Re: Author and above can edit every article
Joomla 1.6 is supposed to address the issue of being able to edit other users articles. A search on the Joomla main site should be able to give you more information, but this is something that we've been waiting a few years for(hasn't been a big issue for us). There is an extension that is supposed to add this you might want to check for, but I've never tried it and I'm not even sure it works with Joomla 1.5.
-
- Joomla! Enthusiast
- Posts: 147
- Joined: Fri Mar 21, 2008 9:26 pm
- Location: Bad Schwartau / Lubeck, Germany
Re: Author and above can edit every article
I doubt not that this hasn't been an issue for many users. But our site relies on the fact that articles have to be proof-read by a publisher prior to release. So it's quite a big issue for us and I may not be able to wait some more few years (!) before it's fixed.dallen wrote:A search on the Joomla main site should be able to give you more information, but this is something that we've been waiting a few years for(hasn't been a big issue for us). There is an extension that is supposed to add this you might want to check for, but I've never tried it and I'm not even sure it works with Joomla 1.5.
Dallen, do you have some more information concerning that extension by chance? I did a search but have not been lucky so far.
- RysiuM
- Joomla! Apprentice
- Posts: 42
- Joined: Thu Jan 08, 2009 6:22 am
- Contact:
Re: Author and above can edit every article
Actually using the article link in the browser any user can access any article (at least for reading) on his security level regardless if the fact article has been published or not. Just type in the link to any valid article and then you will get one of possible responses:
- If article security level is lower or equal user security level it will be displayed regardless of the article state (published or not)
- If article security level is higher then user's security level then either login screen will appear for guests) or message screen will appear that article does not exist (for logged in users).
I hope adding some code to components\com_content\views\article\view.html.php will plug this hole (function display )
- If article security level is lower or equal user security level it will be displayed regardless of the article state (published or not)
- If article security level is higher then user's security level then either login screen will appear for guests) or message screen will appear that article does not exist (for logged in users).
I hope adding some code to components\com_content\views\article\view.html.php will plug this hole (function display )
- RysiuM
- Joomla! Apprentice
- Posts: 42
- Joined: Thu Jan 08, 2009 6:22 am
- Contact:
Re: Author and above can edit every article
I think I plugged this hole (view by typing article link and edit by adding &Layout=Form).RysiuM wrote:I hope adding some code to components\com_content\views\article\view.html.php will plug this hole (function display )
The logic is not so simple, and in my solution I changed authority of Author, so he can't edit only his unpublished articles and Editor can edit only unpublished articles (Published articles can be edited only by publisher). I have this logic because it fits better to publishing lifecycle.
OK here are changes, I made into components\com_content\views\article\view.html.php
Line number 48. Go straight to _displayForm without validation only for new articles.
Code: Select all
// Fix RMA: Display form without checking for new articles only
// ***Deleted line:
// if($this->getLayout() == 'form') {
// ***Inserted line:
if(($this->getLayout() == 'form') && ($article->id == 0)) {
if ($article->access <= $aid) {
Code: Select all
// Fix RMA: Elaborate authorieties for view and edit articles:
// User security access must be at least at article security acces
// and :
// Article must be published for view by anyone. Only Publisher can edit published articles,
// or User must be Editor or more to view or edit unpublished articles,
// or Author can view and edit his own unpublished articles
// ***Deleted line:
// if ($article->access <= $aid) {
//
// ***Inserted lins:
// Fix RMA: Checking authority for Editing
if($this->getLayout() == 'form')
{
if ($article->access <= $aid && (($article->state == 1 && $access->canPublish )|| ($article->state == 0 && $access->canEdit) || ($article->state == 0 && $access->canEditOwn && $article->created_by == $user->get('id')) ))
{
$this->_displayForm($tpl);
return;
} else {
JError::raiseWarning( 403, JText::_('ALERTNOTAUTH') );
return;
}
}
// Fix RMA: Checking authority for Viewing
if ($article->access <= $aid && ($article->state == 1 || ($article->state == 0 && $access->canEdit) || ($article->state == 0 && $access->canEditOwn && $article->created_by == $user->get('id')) )) {
// ***End of Inserted lines:
I'm sure this can be written better, but this works, and I wanted to share the logic I came with.
-
- Joomla! Enthusiast
- Posts: 147
- Joined: Fri Mar 21, 2008 9:26 pm
- Location: Bad Schwartau / Lubeck, Germany
Re: Author and above can edit every article
RysiuM, thank you for your input. I'll be happy to try out your solution but that'll take some time as I'm up to my ears involved with an other urgent project right now. I'll report my results here later on.
- RysiuM
- Joomla! Apprentice
- Posts: 42
- Joined: Thu Jan 08, 2009 6:22 am
- Contact:
Re: Author and above can edit every article
When you have time you may look at the "whole pack" of related fixes/hacks posted here in Administrator forumdoc_flake wrote:RysiuM, thank you for your input. I'll be happy to try out your solution but that'll take some time as I'm up to my ears involved with an other urgent project right now. I'll report my results here later on.
-
- Joomla! Enthusiast
- Posts: 147
- Joined: Fri Mar 21, 2008 9:26 pm
- Location: Bad Schwartau / Lubeck, Germany
Re: Author and above can edit every article
RysiuM, your work is amazing. I applied your well documented hack to my test environment. So far it's running fine and solves all the issues with unauthorized acces I had. I'll give it a few more days before transferring it to our live site, just in case ... Thank you very much!!!
Dear developpers / bug-squad-members,
I would appreciate it, if RysiuM's work would find its way into the next patch!
Dear developpers / bug-squad-members,
I would appreciate it, if RysiuM's work would find its way into the next patch!
-
- Joomla! Apprentice
- Posts: 43
- Joined: Thu Dec 22, 2005 2:24 pm
- Location: Mobile, AL
Re: Author and above can edit every article
I have used this hack...after I changed the coding, the right side of my main content area stopped working. My edit icon and the right side of my JCE editor's links stop resonding. Any ideas why this would happen?
-
- Joomla! Apprentice
- Posts: 5
- Joined: Tue Aug 18, 2009 9:48 am
Re: Author and above can edit every article
Hello,
I have a similar issue: As soon as I assign a registered user to another noixACL group (multigroups) this user is able to edit every article on my page. So it is impossible for me to have users with viewing rights to certain content and writing rights to other content.
Did I miss something in the configurations or is this a bug?
Thanks!
I have a similar issue: As soon as I assign a registered user to another noixACL group (multigroups) this user is able to edit every article on my page. So it is impossible for me to have users with viewing rights to certain content and writing rights to other content.
Did I miss something in the configurations or is this a bug?
Thanks!