Article access not being restricted with direct link

Moderators: mandville, PhilD, General Support Moderators

Locked
sh0rtchica
Joomla! Apprentice
Joomla! Apprentice
Posts: 40
Joined: Tue Jan 29, 2008 6:04 pm
Contact:

Article access not being restricted with direct link

Post by sh0rtchica » Thu Aug 09, 2012 8:41 pm

I have an article that I've restricted to a certain ACL user group. I have the setting for "display registered links" turned on, so when not logged in, the article title appears but isn't clickable. That's working fine.

However, if I have the direct link for the article and paste that into my browser, it takes me to the full text, even if I'm not logged in. I'm not sure if this is a bug or a misconfigured setting, but it's important that we keep our restricted content invisible (minus the title) to anyone not in the specified user group! I have tried this even using Chrome's incognito mode, suspecting it could still sense me logged in to the back-end, but again I received the full text of the article.

Any help is appreciated!

 
User avatar
rcarey
Joomla! Explorer
Joomla! Explorer
Posts: 469
Joined: Sat Apr 25, 2009 9:20 pm
Location: Minnesota (USA)
Contact:

Re: Article access not being restricted with direct link

Post by rcarey » Mon Aug 13, 2012 2:18 am

I'm assuming that the parameter you meant is "Show Unauthorised Links." Right?

Where are the articles titles listed? ...within an article? ...within a module that lists the articles from a category? Could you clarify the details a bit more?

BTW, the surest way to prevent someone from viewing an article is to create a new access level that includes only the one group that is to have access to the article. Then set the article (or a category of articles) to that access level. That protects the article from being read. But it also prevents its title from being displayed within a list.
Randy Carey, the iCue Project http://iCueProject.com : developing an intelligent approach to improving the CMS user experience,
Careytech Studios http://careytech.com custom development for tailored or value-added web solutions

sh0rtchica
Joomla! Apprentice
Joomla! Apprentice
Posts: 40
Joined: Tue Jan 29, 2008 6:04 pm
Contact:

Re: Article access not being restricted with direct link

Post by sh0rtchica » Mon Aug 13, 2012 7:52 pm

Yes, I did mean Show Unauthorised Links!

The articles are listed on a page that we would like to remain open to the public - a category list page.

We did create new groups and access levels for our site, including for these particular pieces of content. However, we want the category itself and the titles to remain visible to the public, which prompts them to join in order to read the content itself. My concern is twofold- that anyone with the direct link can read the content, thus bypassing the need to join, and second that if the direct link works without needing to register, does that mean search engines can index the article and deliver it in full to anyone as well?

User avatar
rcarey
Joomla! Explorer
Joomla! Explorer
Posts: 469
Joined: Sat Apr 25, 2009 9:20 pm
Location: Minnesota (USA)
Contact:

Re: Article access not being restricted with direct link

Post by rcarey » Tue Aug 14, 2012 12:19 am

I just tested this, setting up the ACL as I envision it should be. I had the results you wanted. That is, The category page lists the restricted items in black (with a link to register to read more), and if I (as an unregistered user) try to go directly to the page by pasting in the URL, I get sent to the home page and cannot see the page.

So I suggest you review your ACL settings. If you don't mind my suggesting this,here is what I would check...

The article that requires registering is set to the access level "registered." Then check the settings on that access level to confirm that it does not include "public."

Also... If the access level "registered" includes more groups than "registered," you need to make sure that none of these are set to be the group assigned to guests. The "guest" group is set here: users -> groups -> options (button) -> component (tab) -> GuestUserGroup.

If you don't mind, check these two things and report back.
Randy Carey, the iCue Project http://iCueProject.com : developing an intelligent approach to improving the CMS user experience,
Careytech Studios http://careytech.com custom development for tailored or value-added web solutions

sh0rtchica
Joomla! Apprentice
Joomla! Apprentice
Posts: 40
Joined: Tue Jan 29, 2008 6:04 pm
Contact:

Re: Article access not being restricted with direct link

Post by sh0rtchica » Wed Aug 15, 2012 6:25 pm

I appreciate your help with this!

I checked the settings for the article itself (though this happens with all of them) - it's set to be accessible to a custom viewing access level we've titled "Members Only."

The "Members Only" group is configured to allow access to four user groups - Two are child groups of Registered, and the other two are Admins & Super-Admins. Neither Registered nor public are among the user groups that we've allowed access to.

I also checked configuration of the guests - I wasn't aware of this setting, but it is configured appropriately and set to Public. I'm not sure what else I should try. We do have CiviCRM installed, which integrates in some way with the Joomla ACL, but I'm not aware that it should cause issues.

I just tested a piece of content from a few years back that was just set to Registered before we upgraded to 1.7 (and then 2.5) and could put users in different groups. Same story - it's set to Registered under the access level, but with a direct link I can view the entire article. I changed the access level to Special, and was still able to view it (even in an incognito Chrome window). I also tried unpublishing it and re-publishing it.

We have been getting around the issue by using the Log-in to Read More plugin, and dropping that into the articles. That way, even with a direct link, they can't read any of the text after the horizontal rule. Is it possible that the plugin is interfering with the ACL? I'm hesitant to uninstall it, because I'm not sure what that will do to the 100s of articles we've used it on.

User avatar
rcarey
Joomla! Explorer
Joomla! Explorer
Posts: 469
Joined: Sat Apr 25, 2009 9:20 pm
Location: Minnesota (USA)
Contact:

Re: Article access not being restricted with direct link

Post by rcarey » Wed Aug 15, 2012 7:35 pm

I'm not sure what you are using for the URL that is allowing unauthorized access. The first thing I'd check is whether the core of Joomla is allowing unregistered people to view the article through the default URL. One way to do that is to use this URL but set the id to the id number of an article that should require registration.

Code: Select all

index.php?option=com_content&view=article&id=2
If an anonymous user cannot access the article with these parameters, then the Joomla ACL is set correctly and is working. And if this is so, then the URL that lets people access that same article involves some extension that is bypassing Joomla ACL - not supposed to happen a third-party extension can bypass built-in ACL.

Anything that integrates with the ACL is a candidate for causing unexpected behavior. They shouldn't, but if they integrate with it, they could. And since you seem to have the ACL set up as you want, the next place I'd look at are the extensions that could be interfering.

What I do when I need to significantly test a live site: backup the site with Akeeba, install Joomla in some development or test environment (a subdirectory or a different server), then restore the backup in this test environment. Then test all you want. If you go too deep in changing settings or code, just restore from your baseline copy and resume testing. I think it is good to have a working copy of a site so you can test changes and even extension upgrades before committing them to the production installation.

So if you are sure you have the ACL set right, I'd test the results when CiviCRM is removed and when Login-to-Read-More plugin is removed. That way you will know for sure whether or not one of these is causing the problem.

If you do find the cause, report back here so we all learn from the experience.

I do have one other solution to share. If the article is being shown through a component (or through a module), then you can override the article's view file. In that file you can add some simple code that says if the article's access level is set to the one that is supposed to restrict access, then check the array of groups to which the user belongs. If the user does not belong to an authorized group, don't process the article's content. This should work, but it does require that you enforce these access rules through code - so any future changes of groups or access levels will not change what you coded. If you get to this point, just ask and I'll share some code that should work.
Randy Carey, the iCue Project http://iCueProject.com : developing an intelligent approach to improving the CMS user experience,
Careytech Studios http://careytech.com custom development for tailored or value-added web solutions

sh0rtchica
Joomla! Apprentice
Joomla! Apprentice
Posts: 40
Joined: Tue Jan 29, 2008 6:04 pm
Contact:

Re: Article access not being restricted with direct link

Post by sh0rtchica » Thu Aug 16, 2012 2:29 pm

I just tested the default Joomla URL as suggested, and it did allow me access. I even tried running it through all of the various ACLs we have established - including special, which we haven't changed - refreshed the page in another browser, and was still able to see it. I'll have to follow your suggestion of copying the site to a test server and playing with it there. It would be a bit ironic if it ends up being the Login to Read More plugin, since that's what we've been using to bypass the issue! Hopefully it's not CiviCRM - that's integral to our business. I'm assuming it's not, though, because I can't imagine we would be the first people to catch such a conflict! What is ironic is that if I do log-in to one of the access levels that does not have permission to view the article, I am no longer able to see the full text (only the header). That tells me that ACL is working for logged-in users, but not working for guests. Very strange behavior!

User avatar
rcarey
Joomla! Explorer
Joomla! Explorer
Posts: 469
Joined: Sat Apr 25, 2009 9:20 pm
Location: Minnesota (USA)
Contact:

Re: Article access not being restricted with direct link

Post by rcarey » Thu Aug 16, 2012 9:19 pm

The fact that you can access a restricted article when you should not suggests to me two possibilities - a plugin is doing something in the background, or you have something wrong set up in your ACL.

I forgot to mention, but you should buy and install ACL Manager (about $30). It will review the ACL per group and per article to tell you if that group is allowed or denied (based upon the ACL settings). I feel this is an essential tool. If it says the article is denied to the public, then the ACL is set up correctly. If it says the article is accessible to the public, then that means the tool feels your ACL is set up to allow public access. I assume it evaluates the core ACL and not the workings of a third-party tool. So, this quick installation and check could confirm your core ACL settings distinct from the third-party settings. And you can keep using the tool to better manage/configure ACL.

Once you assess things, please post back so we all can learn if one of these extensions is causing the problem.
Randy Carey, the iCue Project http://iCueProject.com : developing an intelligent approach to improving the CMS user experience,
Careytech Studios http://careytech.com custom development for tailored or value-added web solutions

davebarrett
Joomla! Intern
Joomla! Intern
Posts: 65
Joined: Sun Jun 01, 2008 10:48 pm
Contact:

Re: Article access not being restricted with direct link

Post by davebarrett » Sat Aug 18, 2012 2:42 pm

I have exactly the same problem. I am in the process of upgrading my site, so fortunately this is only on the dev site at the moment, but direct URL access to all articles is possible. I've limited some to a group called "Subscribers", which is a child of "Registered". I've checked through the points raised in this thread, and can't see anything amiss.

As I don't have many extra components, I'll now try disabling them to see if the problem goes away. I'll post back if I find out what the problem is on my site - please do post back if you find the problem on yours!

davebarrett
Joomla! Intern
Joomla! Intern
Posts: 65
Joined: Sun Jun 01, 2008 10:48 pm
Contact:

Re: Article access not being restricted with direct link

Post by davebarrett » Sat Aug 18, 2012 5:05 pm

Well, my investigations haven't found anything... I have pretty much disabled all extensions and enabled full debug. It can be seen from the debug that there are no none-Joomla extensions being hit:

Application 0.002 seconds (+0.002); 0.76 MB (+0.758) - afterLoad
Application 0.112 seconds (+0.110); 4.74 MB (+3.978) - afterInitialise
Application 0.125 seconds (+0.013); 5.14 MB (+0.398) - afterRoute
Application 0.245 seconds (+0.120); 7.91 MB (+2.771) - afterDispatch
Application 0.256 seconds (+0.010); 8.07 MB (+0.168) - beforeRenderModule mod_login (Login Form)
Application 0.265 seconds (+0.010); 8.17 MB (+0.092) - afterRenderModule mod_login (Login Form)
Application 0.266 seconds (+0.000); 8.16 MB (-0.001) - beforeRenderModule mod_breadcrumbs (Breadcrumbs)
Application 0.270 seconds (+0.005); 8.19 MB (+0.021) - afterRenderModule mod_breadcrumbs (Breadcrumbs)
Application 0.271 seconds (+0.000); 8.18 MB (-0.003) - beforeRenderModule mod_menu (Main Menu)
Application 0.296 seconds (+0.025); 8.83 MB (+0.644) - afterRenderModule mod_menu (Main Menu)
Application 0.311 seconds (+0.015); 9.22 MB (+0.394) - afterRender


I also tried changing the template to a standard one to see if that was the issue, but no joy...

User avatar
rcarey
Joomla! Explorer
Joomla! Explorer
Posts: 469
Joined: Sat Apr 25, 2009 9:20 pm
Location: Minnesota (USA)
Contact:

Re: Article access not being restricted with direct link

Post by rcarey » Sat Aug 18, 2012 5:24 pm

Dave,

Just to confirm... Are these subscriber-only articles set to an access level that includes only the subscription group(s)?

If not, try this: create an access level called "subscription" and when editing it check only the "subscription" group. Assign an article to that access level, and the article should not be viewable to anyone but those within the "subscription" group.

--Randy
Randy Carey, the iCue Project http://iCueProject.com : developing an intelligent approach to improving the CMS user experience,
Careytech Studios http://careytech.com custom development for tailored or value-added web solutions

davebarrett
Joomla! Intern
Joomla! Intern
Posts: 65
Joined: Sun Jun 01, 2008 10:48 pm
Contact:

Re: Article access not being restricted with direct link

Post by davebarrett » Sun Aug 19, 2012 8:21 am

Well, as a test I've installed a new Joomla site with just the sample data. I then created a group/access level the same as I did on my dev site, and then set an article with permissions to only that group. When testing, things are working as expected on the new test site (which has no extensions installed).

So, still not sure what is going on, but I'm pretty sure that I've confirmed that I followed the right process on my main dev site but something is amiss. I will now install the extensions I have on the dev site one by one and continue testing. Hopefully one of them will break the ACL and I'll then know where I need to look.

davebarrett
Joomla! Intern
Joomla! Intern
Posts: 65
Joined: Sun Jun 01, 2008 10:48 pm
Contact:

Re: Article access not being restricted with direct link

Post by davebarrett » Sun Aug 19, 2012 10:54 am

Well, this is even more bizarre...

I've now installed all the extensions I had on my dev site, using the latest versions. I updated a couple of those on the dev site when I noticed there was a later version available. I now have the same extensions on both sites, but the behaviour on each site has not changed. On one, direct URL access is possible, on the other I get the expected "You do not have permission to access this resource".

So now I'm a little stumped. The only other thing I can think of that I did on the broken site is to transfer the userbase from my public site. As the public site is still J1.5, I wrote a script to do this... I wonder if something odd happened here.

Well, my next step is to rebuild the site completely including the migration (which I need to do now anyway due to the Kunena upgrade - I can only upgrade to 2.0 when I put the site live as I need to migrate that data also). I'll be testing for the direct URL access at every step, so hopefully I'll find out what causes it.

Mushr00m
Joomla! Apprentice
Joomla! Apprentice
Posts: 44
Joined: Tue Jun 16, 2009 1:51 pm

Re: Article access not being restricted with direct link

Post by Mushr00m » Wed Mar 27, 2013 1:05 pm

I'va exactly the same issue on a J2.5.9 , any news ?

Mushr00m
Joomla! Apprentice
Joomla! Apprentice
Posts: 44
Joined: Tue Jun 16, 2009 1:51 pm

Re: Article access not being restricted with direct link

Post by Mushr00m » Wed Mar 27, 2013 2:26 pm

So in my case I didn't want the article to be accessible via URL even if 'Show Unauthorised Links' is set to true in the menu link. So to not hack joomla core I edit the default.php of the article view in my override of com_content and add this at the begining :

Code: Select all

if (!in_array($this->item->access, $this->user->getAuthorisedViewLevels()) AND $this->item->fulltext == null){
	JError::raiseWarning(403, JText::_('JERROR_ALERTNOAUTHOR'));
	return;
}
So if you have a readmore you still "tease" the user and if not it's block. If it can help someone else...

EDIT : Still a big problem with Feed view from com_content that never calls any plugin events... so I don't know how to hide this introtext the restricted articles...

theteacher999
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 108
Joined: Wed Nov 09, 2011 6:30 pm

Re: Article access not being restricted with direct link

Post by theteacher999 » Mon Aug 19, 2013 5:39 pm

Was a solution to the OP's post ever found, please? I have exactly the same problem I am trying to solve.

Thanks

;D

ThePiston
Joomla! Guru
Joomla! Guru
Posts: 640
Joined: Mon Nov 07, 2005 3:45 am
Contact:

Re: Article access not being restricted with direct link

Post by ThePiston » Thu Jan 02, 2014 5:33 pm

solution? upgrade to 3.X fix this?

ThePiston
Joomla! Guru
Joomla! Guru
Posts: 640
Joined: Mon Nov 07, 2005 3:45 am
Contact:

Re: Article access not being restricted with direct link

Post by ThePiston » Fri Jan 03, 2014 2:07 pm

just figured this out - Joomla will show your entire article to anyone if you have "Show unauthorized links" set to yes without any opening text chosen. If you do not have a "Read More" line with something above it, then your entire article will be seen by anyone with direct link. So, turn off that option unless you intend to put in Read More text in all of your sensitive articles.

I always thought this option was only for article lists and not the entire article.

Maybe this is not an issue in 3.X?

 

Locked

Return to “Access Control List (ACL) in Joomla! 2.5”