Naming constraints in ACL Infrastructure and Possible Bug

General questions relating to Joomla! 3.x. Please consider the availability of third-party templates and extensions when deciding which Joomla version to use.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting.
Forum Post Assistant - If you are serious about wanting help, you should use this tool to help you post.
Post Reply
jm_joomla
Joomla! Apprentice
Joomla! Apprentice
Posts: 24
Joined: Sun Nov 05, 2017 10:53 pm

Naming constraints in ACL Infrastructure and Possible Bug

Post by jm_joomla » Wed Jul 11, 2018 10:24 am

Hi,

I am using Joomla 3.8.1.

I was looking into the source code for the Joomla ACL infrastructure to try and explore any constraint on the naming of elements. I was particularly interested in whether the name of the object-level section in the access.xml file should be the same as the second-level asset name in the database assets table. For example, if the object-level section name were "obj" would it only be correct to have database asset names of "<component>.obj <id>" or do you have complete freedom to make a different choice of the second-level part of the name?

This led me to look at the source code for JHelperContent::getActions, which I supposed was in the file libraries/src/Helper/ContentHelper.php. This appears to be used in both the "list" view.html.php and the "object" view.html.php file (with different arguments) in the Joomla: Developing and MVC Component Tutorial. It is used to get the "exhaustive" list of actions and their respective permissions for the logged in user.

In the "list" view.html.php, it is called just with the component ("com_helloworld", in this case) whereas, in the object-level version, it is called with component, "section" and id ("com_helloworld", "helloworld", 5 ).

Looking in the aforementioned source code, I find that getActions forms the assetName for the database by concatenating the component, the section and the id. It then tries to get the "complete" list of actions, relevant to the component, by calling Access::getActionsFormFile with a filepath to access.xml and an XMLpath of

'/access/section[@name="component"]/'

To me, this XMLpath means that this function only ever consults actions that belong to the section="component" part of the access.xml file. This seems fine for the "list" view.html.php file (e.g. views/helloworlds/view.html.php), where you don't yet have an id, but I am not so clear as to whether it is the correct procedure for the "object" view.html.php file (e.g. views/helloworld/view.html.php). It appears to ignore any actions present in the object part of that file but not in the component section. Typically, this might include "edit-own", which can only be applied at the object level, when the author of the object can be found.

I wonder whether more experienced Joomla users would regard this as a bug.

Please advise (or let know know what the intended logic.usage was).

John,
Abingdon.

jm_joomla
Joomla! Apprentice
Joomla! Apprentice
Posts: 24
Joined: Sun Nov 05, 2017 10:53 pm

Re: Naming constraints in ACL Infrastructure and Possible Bug

Post by jm_joomla » Wed Jul 11, 2018 2:43 pm

I should should have finished my initial posting below by saying that you can get inconsistent results, depending on whether you use the JHelperContent::getActions to get an "overall" list of actions from access.xml (actually only those actions mentioned in the <section name="component">) or query the permissions for an explicitly given action with $user->authorise. I don't believe that the second method makes any reference to access.xml so you can give actions which would not have appeared from JHelperContent::getActions.

This inconsistency appears for the delinquent actions that I mentioned before, which do not appear in the <section name="component"> of access.xml but do appear in the object-level section.

John,
Abingdon, UK.
jm_joomla wrote:Hi,

I am using Joomla 3.8.1.

I was looking into the source code for the Joomla ACL infrastructure to try and explore any constraint on the naming of elements. I was particularly interested in whether the name of the object-level section in the access.xml file should be the same as the second-level asset name in the database assets table. For example, if the object-level section name were "obj" would it only be correct to have database asset names of "<component>.obj <id>" or do you have complete freedom to make a different choice of the second-level part of the name?

This led me to look at the source code for JHelperContent::getActions, which I supposed was in the file libraries/src/Helper/ContentHelper.php. This appears to be used in both the "list" view.html.php and the "object" view.html.php file (with different arguments) in the Joomla: Developing and MVC Component Tutorial. It is used to get the "exhaustive" list of actions and their respective permissions for the logged in user.

In the "list" view.html.php, it is called just with the component ("com_helloworld", in this case) whereas, in the object-level version, it is called with component, "section" and id ("com_helloworld", "helloworld", 5 ).

Looking in the aforementioned source code, I find that getActions forms the assetName for the database by concatenating the component, the section and the id. It then tries to get the "complete" list of actions, relevant to the component, by calling Access::getActionsFormFile with a filepath to access.xml and an XMLpath of

'/access/section[@name="component"]/'

To me, this XMLpath means that this function only ever consults actions that belong to the section="component" part of the access.xml file. This seems fine for the "list" view.html.php file (e.g. views/helloworlds/view.html.php), where you don't yet have an id, but I am not so clear as to whether it is the correct procedure for the "object" view.html.php file (e.g. views/helloworld/view.html.php). It appears to ignore any actions present in the object part of that file but not in the component section. Typically, this might include "edit-own", which can only be applied at the object level, when the author of the object can be found.

I wonder whether more experienced Joomla users would regard this as a bug.

Please advise (or let know know what the intended logic.usage was).

John,
Abingdon.

User avatar
AMurray
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3850
Joined: Sat Feb 13, 2010 7:35 am
Location: Australia

Re: Naming constraints in ACL Infrastructure and Possible Bug

Post by AMurray » Wed Jul 11, 2018 9:20 pm

Sorry, can't help with the question but first things first, you ought to update Joomla to 3.8.10 (3.8.1 is out of date).
Regards,
--------------------------------------------------------------
A Murray
Millennium Falcon - it's the ship that made the Kessel run in less than 12 parsecs! The fastest hunk of junk in the galaxy.

jm_joomla
Joomla! Apprentice
Joomla! Apprentice
Posts: 24
Joined: Sun Nov 05, 2017 10:53 pm

Re: Naming constraints in ACL Infrastructure and Possible Bug

Post by jm_joomla » Thu Jul 12, 2018 8:03 am

Hi AMurray,

Thanks for the general guidance.

Before posting this article, I did check forward to the code for Joomla 3.8.10 to satisfy myself that the code concerned had not changed. This means that, if the basis of the posting is judged to be well-founded, then it will also be true for the latest version.

John.


Post Reply

Return to “General Questions/New to Joomla! 3.x”