bug in 2.5 ACL: articles displays while no access [+fix]

Locked
User avatar
carsten888
Joomla! Ace
Joomla! Ace
Posts: 1224
Joined: Sat Feb 11, 2006 8:32 am
Contact:

bug in 2.5 ACL: articles displays while no access [+fix]

Post by carsten888 » Tue Jan 24, 2012 10:26 am

(I just posted this on the bug-tracker, but I can not see it, even thou it said the submission was successfull)
[edit]found it: http://joomlacode.org/gf/project/joomla ... m_id=27819[/edit]

Articles are displayed even thou the user has no access to the category the article is assigned to.

Now before replying 'that is not a bug, it is a feature', please note that in other parts of the core this behaviour is different. For example in the search plugin 'content' the articles are checked both for article access and category access. Also in the article model the check is done for both.

This bug is in the 2.5 RC1 which 2.5 is suppose to release today! :eek:
But the same thing is in Joomla 1.7 and 1.6. So I am flabegasted no one has ever noticed this :eek:

HERE IS THE FIX:
file: components/com_content/models/articles.php
line: 246 (joomla 2.6) 244 (joomla 1.7 and joomla 1.6)

Code: Select all

$query->where('a.access IN ('.$groups.')');
replace with:

Code: Select all

$query->where('a.access IN ('.$groups.')');
$query->where('c.access IN ('.$groups.')');
HERE IS HOW TO TEST COMPARE WITH THE SEARCH PLUGIN 'CONTENT':
On a default install open the homepage. Note the article 'beginners' is shown. Then in the category-manager open category 'joomla' (which is the category the article is assigned to). Set category 'joomla' access level to 'registered'. Refresh the search page. The article is no longer in the search results. Then go to the frontpage, the article is still displayed there. So the content plugin is not displaying the restricted article, but the frontpage still is.

HERE IS HOW TO TEST COMPARE WITH THE ARTICLE MODEL:
On a default install open the homepage. Note the article 'beginners' is shown. Then in the category-manager open category 'joomla' (which is the category the article is assigned to). Set category 'joomla' access level to 'registered'. Refresh the frontpage. The article is still displayed. Then click to open the article and you get 'You are not authorised to view this resource.'
Last edited by carsten888 on Tue Jan 24, 2012 10:37 am, edited 2 times in total.
http://www.pages-and-items.com my extensions:
User-Private-Page, Redirect-on-Login, Admin-Help-Pages, Dynamic-Menu-Links, Admin-Menu-Manager, plugin load module in article, plugin pure css tooltip and more...

User avatar
carsten888
Joomla! Ace
Joomla! Ace
Posts: 1224
Joined: Sat Feb 11, 2006 8:32 am
Contact:

Re: bug in 2.5 ACL: articles displays while no access [+fix]

Post by carsten888 » Tue Jan 24, 2012 10:32 am

http://www.pages-and-items.com my extensions:
User-Private-Page, Redirect-on-Login, Admin-Help-Pages, Dynamic-Menu-Links, Admin-Menu-Manager, plugin load module in article, plugin pure css tooltip and more...

strgg
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Fri Jun 26, 2009 7:33 pm

Re: bug in 2.5 ACL: articles displays while no access [+fix]

Post by strgg » Tue Jan 24, 2012 3:09 pm

Thank you Carsten have been digging arround. never thought being a bug.


Locked

Return to “Joomla! 2.5 Beta Support”