Bug in ACL to show/hide modules in backend per accesslevel

The support for Joomla 2.5 ended on December 31, 2014. Possible bugs in Joomla 2.5 will not be patched anymore. This forum has been closed. Please update your website to Joomla 3.x

Moderator: ooffick

Forum rules
Please use the official Bug Tracker to report a bug: https://issues.joomla.org
Locked
User avatar
carsten888
Joomla! Ace
Joomla! Ace
Posts: 1200
Joined: Sat Feb 11, 2006 8:32 am
Location: Tilburg, Holland
Contact:

Bug in ACL to show/hide modules in backend per accesslevel

Post by carsten888 » Wed Jul 18, 2012 3:40 pm

In the module manager, each module can be assigned an accesslevel. This can be set to show/hide modules at the frontend. This should also work for backend modules, displaying admin-modules to certain administrator groups/levels. But it has a bug.

If you create a new usergroup, create a new accesslevel for just that group, then open a admin-module (like 'User Status') and assign it to the new accesslevel. It will not display, even if the user is assigned to the correct usergroup (and connected accesslevels). Only when the modules is set to level 'special' the module is displayed.

To reproduce do this:

1. make a copy of usergroup 'Administrator':
Go to 'Users' > 'Groups'
Click 'New'
Enter a group title (example 'administrator2')
Set the group parent to 'manager' (so that the new administrator group inherits the same rights from the manager group)
Click 'Save & Close'.
Go to 'Site' > 'Global Configuration' > tab 'permissions'
Open the group you just created
At 'Access Administration Interface' select 'Allowed'
Click 'Save & Close'

2. create a new accesslevel
Go to 'Users' > 'Access Levels'
Click 'New'
Enter a title (example 'administrator2')
Select the new group you just ceated
Click 'Save & Close'

3. assign module 'User Status' to accesslevel 'administrator2'. It will disappear from the Joomla toolbar.

4. In the user-manager assign yourself (also) to the new usergroup 'administrator2'. Note that the module still does not display.

Easy test to see the difference in calculatated accesslevels:
Create a copy of the administrator-group and create a new level as described above.
file:
libraries/joomla/application/module/helper.php
line:
301

Code: Select all

$groups = implode(',', $user->getAuthorisedViewLevels());
change to

Code: Select all

$groups = implode(',', $user->getAuthorisedViewLevels());
		echo $groups;
		echo '<br />';
		jimport( 'joomla.access.access' );
		$user_id = $user->get('id');
		$groups = implode(',', JAccess::getAuthorisedViewLevels($user_id));
		echo $groups;
save the file and reload any admin page to see this sort of output:
1,1,2,3,4
1,1,2,3,4,5
Note the first method does not include level 5.

Here is the fix:
Joomla version 2.5.6
file:
libraries/joomla/application/module/helper.php
line:
301

Code: Select all

$groups = implode(',', $user->getAuthorisedViewLevels());
change to

Code: Select all

jimport( 'joomla.access.access' );
		$user_id = $user->get('id');
		$groups = implode(',', JAccess::getAuthorisedViewLevels($user_id));
That will include all accesslevels the user is assigned to.
http://www.pages-and-items.com
Admin-Help-Pages, Dynamic-Menu-Links, Admin-Menu-Manager, Access-Manager, Redirect-on-Login, Pages-and-Items, module Admin-Messages, module Logged-in-Users, plugin load module in article, plugin pure css tooltip and more...

User avatar
carsten888
Joomla! Ace
Joomla! Ace
Posts: 1200
Joined: Sat Feb 11, 2006 8:32 am
Location: Tilburg, Holland
Contact:

Re: Bug in ACL to show/hide modules in backend per accesslev

Post by carsten888 » Thu Nov 01, 2012 9:20 am

Access-Manager 1.3.0 is now capable of setting viewing rights for backend modules per usergroup/accesslevel, without hacking into the Joomla core.
http://www.pages-and-items.com
Admin-Help-Pages, Dynamic-Menu-Links, Admin-Menu-Manager, Access-Manager, Redirect-on-Login, Pages-and-Items, module Admin-Messages, module Logged-in-Users, plugin load module in article, plugin pure css tooltip and more...

User avatar
carsten888
Joomla! Ace
Joomla! Ace
Posts: 1200
Joined: Sat Feb 11, 2006 8:32 am
Location: Tilburg, Holland
Contact:

Re: Bug in ACL to show/hide modules in backend per accesslev

Post by carsten888 » Fri Oct 25, 2013 4:50 pm

That will be Access-Manager 2.1.0. Sorry.
http://www.pages-and-items.com
Admin-Help-Pages, Dynamic-Menu-Links, Admin-Menu-Manager, Access-Manager, Redirect-on-Login, Pages-and-Items, module Admin-Messages, module Logged-in-Users, plugin load module in article, plugin pure css tooltip and more...

User avatar
carsten888
Joomla! Ace
Joomla! Ace
Posts: 1200
Joined: Sat Feb 11, 2006 8:32 am
Location: Tilburg, Holland
Contact:

Re: Bug in ACL to show/hide modules in backend per accesslev

Post by carsten888 » Fri Oct 25, 2013 5:09 pm

Fix for Joomla 3

file: libraries/legacy/module/helper.php
line: 309

Code: Select all

$groups = implode(',', $user->getAuthorisedViewLevels());
replace with

Code: Select all

jimport( 'joomla.access.access' );
      $user_id = $user->get('id');
      $groups = implode(',', JAccess::getAuthorisedViewLevels($user_id));
http://www.pages-and-items.com
Admin-Help-Pages, Dynamic-Menu-Links, Admin-Menu-Manager, Access-Manager, Redirect-on-Login, Pages-and-Items, module Admin-Messages, module Logged-in-Users, plugin load module in article, plugin pure css tooltip and more...


Locked

Return to “Joomla! 2.5 Bug Reporting”