Too limited template access Topic is solved

Post Reply
Ch3vr0n
Joomla! Explorer
Joomla! Explorer
Posts: 428
Joined: Sat Sep 26, 2009 11:00 pm
Location: Belgium
Contact:

Too limited template access

Post by Ch3vr0n » Wed Jun 17, 2020 4:46 pm

I need to grant a developer access to the template section and only there. Too that end i've setup a new account (with matching access group), which is a subgroup of the managers.

Access is restricted to everything BUT "templates", the problem is however that the account when logged in, can only see the description tab when clicking on Extensions > Templates > <template name> details & files.

When "upgrading" to Superusers the files tabs properly appear, but i don't wanna give access to extensions and settings they don't need to. Can't seem to figure out which option i also need to grant access too, to make those tabs appears.

Extended ACL managing is available via PWT ACL extension

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 39469
Joined: Sat Apr 05, 2008 9:58 pm

Re: Too limited template access

Post by Webdongle » Wed Jun 17, 2020 7:47 pm

Firstly ... Set the new user group with 'Registered' as Parent
Secondly ... In global config >>> permission Only change permission for admin login to Allo
Leave everything else Inherited!!!

In Extensions >>> Templates >>> Options ... set Access Administration Interface, Create and Edit Own to Allow.

In Users >>> Access levels >>> Special ... select the user group

Permissions are inherited downwards. 'Allow' can be changed further down the tree but 'Deny' can not.

So if you deny all admin menu items except one then you need to change a lot of 'Deny' to allow access to another admin menu item. But if you leave Access Administration Interface Inherited Not Allowed ... then you just need to change one Permission in the admin menu item.


But
In Users >>> Access levels >>> Special ... select the user group
Is causing your direct problem for now.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein.

Ch3vr0n
Joomla! Explorer
Joomla! Explorer
Posts: 428
Joined: Sat Sep 26, 2009 11:00 pm
Location: Belgium
Contact:

Re: Too limited template access

Post by Ch3vr0n » Wed Jun 17, 2020 8:25 pm

Why registered and not manager? Manager has all those things listed under 'firstly' by default, no?

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 39469
Joined: Sat Apr 05, 2008 9:58 pm

Re: Too limited template access

Post by Webdongle » Wed Jun 17, 2020 11:21 pm

Ch3vr0n wrote:
Wed Jun 17, 2020 8:25 pm
Why registered and not manager? Manager has all those things listed under 'firstly' by default, no?
Because 'Manager' user group has those Permissions for All Components. That means you would need to deny them for every component you dont want them for and any that you install in the future.

By selecting 'Registered' as parent (and only changing Admin login to Allow) you only need to give the other Permissions in the component because the Permissions for other Components will inherit 'Not Allowed'.

Think security bunker ... the further down the levels you go the more security clearance you need. So starting with 'Registered' as parent only admittance to the building is allowed. By Allowing Admin login you go down to the Admin level but do not have Access to the doors. By allowing 'Access Administration Interface' in the Template Permissions you are Allowing entry to only the Templates nothing Else.

btw
The Admin menu module is set to 'Special' Access/View Level' ...
that's why the user group has to be selected in Users >>> Access levels >>> Special.
So Users in that Group can see (menu items in) that menu when they are Allowed 'Access Administration Interface' (Permission) to any of those Items.
N.B. setting 'Manager' as Parent Allows Edit etc.(Permission) to all the admin menu items.

That is best that I can explain it without standing over your shoulder and telling you 'why' every single step.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein.

Ch3vr0n
Joomla! Explorer
Joomla! Explorer
Posts: 428
Joined: Sat Sep 26, 2009 11:00 pm
Location: Belgium
Contact:

Re: Too limited template access

Post by Ch3vr0n » Thu Jun 18, 2020 10:04 am

Thanks for the info, I'll try it this evening and report back

Ch3vr0n
Joomla! Explorer
Joomla! Explorer
Posts: 428
Joined: Sat Sep 26, 2009 11:00 pm
Location: Belgium
Contact:

Re: Too limited template access

Post by Ch3vr0n » Thu Jun 18, 2020 4:13 pm

No success

Global config - <usergroup> - Admin login > allowed

Templates - Options - Permission - <usergroup> > Access admin: allowed, create: allowed, remove: not allowed (inherited), Edit: allowed, edit state: not allowed (inherited) <== there is no "edit own" here unless i'm in the wrong place /administrator/index.php?option=com_config&view=component&component=com_templates

users - access levels - Special: <usergroup> ticked

user assigned to that new <usergroup> still only sees the tab "Template description" when clicking on Extensions > Templates > Templates > <templatename> details and files

Don't think i missed anything

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 39469
Joined: Sat Apr 05, 2008 9:58 pm

Re: Too limited template access

Post by Webdongle » Thu Jun 18, 2020 4:55 pm

Well I have just tested and it works when done correctly. Best guess is that instead of creating a new user group you tried modifying the first user group that you created and missed to revert something. Is it a commercial or non commercial site?
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein.

Ch3vr0n
Joomla! Explorer
Joomla! Explorer
Posts: 428
Joined: Sat Sep 26, 2009 11:00 pm
Location: Belgium
Contact:

Re: Too limited template access

Post by Ch3vr0n » Thu Jun 18, 2020 5:05 pm

Site is still under development. I simply moved the parent group then did what you told me. I'll remove it and try again. Any chance you could perhaps make a small video (with camtasia or something). That would certainly make it easy to follow along.

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 39469
Joined: Sat Apr 05, 2008 9:58 pm

Re: Too limited template access

Post by Webdongle » Thu Jun 18, 2020 8:24 pm

template 01.JPG
template 02.JPG
template 03.JPG
template 04.JPG
template 05.JPG
You do not have the required permissions to view the files attached to this post.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein.

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 39469
Joined: Sat Apr 05, 2008 9:58 pm

Re: Too limited template access

Post by Webdongle » Thu Jun 18, 2020 8:25 pm

Then logged in as Templateuser
template 06.JPG
You do not have the required permissions to view the files attached to this post.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein.

Ch3vr0n
Joomla! Explorer
Joomla! Explorer
Posts: 428
Joined: Sat Sep 26, 2009 11:00 pm
Location: Belgium
Contact:

Re: Too limited template access

Post by Ch3vr0n » Fri Jun 19, 2020 4:02 pm

Accessing the templates section isn't the problem. Never was, you're missunderstanding me :)

Now click on one of those templates' <templatename> details and files you see. You should only see the tab "Template description", Unlike when you log in as super user, you have the tab "Text editor" with folders underneath, and a tab "create overrides". Without those, they can't access the template files themselves. Unless i give them ftp access.
You do not have the required permissions to view the files attached to this post.

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 39469
Joined: Sat Apr 05, 2008 9:58 pm

Re: Too limited template access

Post by Webdongle » Fri Jun 19, 2020 5:08 pm

Ah that screen. That is a security issue. When editing is allowed in that screen malicious code can be added to the Template. To prevent that only Super User group is allowed to edit in there.

The logic is if you trust someone enough to have that much control over your site then you are giving them the same posers as a Super user. Because code can be added to the Template then anyone editing in that screen can give themselves full control over your server. Thus they could do anything they wanted on your server including adding new files and editing your database.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein.

Ch3vr0n
Joomla! Explorer
Joomla! Explorer
Posts: 428
Joined: Sat Sep 26, 2009 11:00 pm
Location: Belgium
Contact:

Re: Too limited template access

Post by Ch3vr0n » Fri Jun 19, 2020 5:11 pm

Ah ok, that explains it. Guess i'll have to see if i can figure out a "limited" superuser. So even if they did (which i doubt based on personal experience with them), i just restore an akeeba backup backup :)

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 39469
Joined: Sat Apr 05, 2008 9:58 pm

Re: Too limited template access

Post by Webdongle » Fri Jun 19, 2020 5:35 pm

No good restoring a backup if you have been hacked. The original hack (and those added after) would be in the backup long before you notice you have been hacked.

Lots of people like to mess with code because they think it's 'clever'. Once your site has been compromised it is not long before it is listed in a hack forum. All the details are posted on that forum and everyone and their dog use the info to put their own hacks on the server. The hackers don't have to be clever they just have to use the instructions to upload the scripts they copy from others.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein.

Ch3vr0n
Joomla! Explorer
Joomla! Explorer
Posts: 428
Joined: Sat Sep 26, 2009 11:00 pm
Location: Belgium
Contact:

Re: Too limited template access

Post by Ch3vr0n » Fri Jun 19, 2020 5:55 pm

That won't be a problem, before they're granted access I'll download a backup. Get them to do what they need to do and give me step by step instructions. If I can't replicate it then off-site, I'm restoring my offline backup before they had access.

Might not even grant them at all and go another route. Thanks for the info!

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 39469
Joined: Sat Apr 05, 2008 9:58 pm

Re: Too limited template access

Post by Webdongle » Fri Jun 19, 2020 6:24 pm

Make a copy of the Template send them the copy. They edit you put it on the site. Otherwise they give you the instructions and you do it.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein.

Ch3vr0n
Joomla! Explorer
Joomla! Explorer
Posts: 428
Joined: Sat Sep 26, 2009 11:00 pm
Location: Belgium
Contact:

Re: Too limited template access

Post by Ch3vr0n » Fri Jun 19, 2020 6:31 pm

That's the current plan! Way to risky to give SU access

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 39469
Joined: Sat Apr 05, 2008 9:58 pm

Re: Too limited template access

Post by Webdongle » Fri Jun 19, 2020 9:53 pm

Because with su access they can upload anything to the sever and gain total control
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein.


Post Reply

Return to “Access Control List (ACL) in Joomla! 3.x”