Author and above can edit every article

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
neologyc
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Sun Aug 17, 2008 10:33 am

Author and above can edit every article

Post by neologyc » Mon Jan 05, 2009 10:17 pm

Hello,
today I found terrible mistake in Joomla 1.5.8.

In case you´re registered as an author or above and signed in at Joomla website (frontend), you can edit every article, including the articles wrote by another user, including administrator´s. By adding parameter '&layout=form' at the end of link, which points to the article.
example: http://localhost/test_joomla/index.php? ... ayout=form
There is a form for editing actual article, and in case you save edited article, it is online. So i think, its a problem.

I tried it now in new installation of J1.5.8.

Can you please help me to resolve this?
You do not have the required permissions to view the files attached to this post.

 
dallen
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 135
Joined: Fri Oct 12, 2007 12:52 am

Re: Author and above can edit every article

Post by dallen » Tue Jan 06, 2009 12:51 am

Joomla 1.6 is supposed to address the issue of being able to edit other users articles. A search on the Joomla main site should be able to give you more information, but this is something that we've been waiting a few years for(hasn't been a big issue for us). There is an extension that is supposed to add this you might want to check for, but I've never tried it and I'm not even sure it works with Joomla 1.5.

doc_flake
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 147
Joined: Fri Mar 21, 2008 9:26 pm
Location: Bad Schwartau / Lubeck, Germany

Re: Author and above can edit every article

Post by doc_flake » Tue Jan 06, 2009 5:47 pm

dallen wrote:A search on the Joomla main site should be able to give you more information, but this is something that we've been waiting a few years for(hasn't been a big issue for us). There is an extension that is supposed to add this you might want to check for, but I've never tried it and I'm not even sure it works with Joomla 1.5.
I doubt not that this hasn't been an issue for many users. But our site relies on the fact that articles have to be proof-read by a publisher prior to release. So it's quite a big issue for us and I may not be able to wait some more few years (!) before it's fixed.
Dallen, do you have some more information concerning that extension by chance? I did a search but have not been lucky so far.

User avatar
RysiuM
Joomla! Apprentice
Joomla! Apprentice
Posts: 42
Joined: Thu Jan 08, 2009 6:22 am
Contact:

Re: Author and above can edit every article

Post by RysiuM » Sat Jan 10, 2009 1:57 am

Actually using the article link in the browser any user can access any article (at least for reading) on his security level regardless if the fact article has been published or not. Just type in the link to any valid article and then you will get one of possible responses:

- If article security level is lower or equal user security level it will be displayed regardless of the article state (published or not)
- If article security level is higher then user's security level then either login screen will appear for guests) or message screen will appear that article does not exist (for logged in users).

I hope adding some code to components\com_content\views\article\view.html.php will plug this hole (function display )

User avatar
RysiuM
Joomla! Apprentice
Joomla! Apprentice
Posts: 42
Joined: Thu Jan 08, 2009 6:22 am
Contact:

Re: Author and above can edit every article

Post by RysiuM » Sat Jan 10, 2009 7:17 am

RysiuM wrote:I hope adding some code to components\com_content\views\article\view.html.php will plug this hole (function display )
I think I plugged this hole (view by typing article link and edit by adding &Layout=Form).

The logic is not so simple, and in my solution I changed authority of Author, so he can't edit only his unpublished articles and Editor can edit only unpublished articles (Published articles can be edited only by publisher). I have this logic because it fits better to publishing lifecycle.

OK here are changes, I made into components\com_content\views\article\view.html.php

Line number 48. Go straight to _displayForm without validation only for new articles.

Code: Select all

    //  Fix RMA:  Display form without checking for new articles only
    //	***Deleted line:
    //  if($this->getLayout() == 'form') {
    //	***Inserted line:
        if(($this->getLayout() == 'form') && ($article->id == 0)) {
Line 80 (after the change above): Do access checking for for Editing (layout=form), then separate checking for viewing. The following code replaces line:
if ($article->access <= $aid) {

Code: Select all

    // Fix RMA:  Elaborate authorieties for view and edit articles:
    //   User security access must be at least at article security acces
    //   and :
    //       Article must be published for view by anyone.  Only Publisher can edit published articles,
    //       or User must be Editor or more to view or edit unpublished articles,
    //       or Author can view and edit his own unpublished articles
    //	***Deleted line:
    //  	if ($article->access <= $aid) {
    //
    //  ***Inserted lins:
    //  Fix RMA:  Checking authority for Editing
     if($this->getLayout() == 'form') 
     {
        if ($article->access <= $aid && (($article->state == 1 && $access->canPublish )|| ($article->state == 0 && $access->canEdit) || ($article->state == 0 && $access->canEditOwn && $article->created_by == $user->get('id')) ))
        {
           $this->_displayForm($tpl);
           return;
        } else {
           JError::raiseWarning( 403, JText::_('ALERTNOTAUTH') );
           return;
        }
     }
    
    //  Fix RMA:  Checking authority for Viewing
    if ($article->access <= $aid && ($article->state == 1 || ($article->state == 0 && $access->canEdit) || ($article->state == 0 && $access->canEditOwn && $article->created_by == $user->get('id')) )) {
    //	***End of Inserted lines:

I'm sure this can be written better, but this works, and I wanted to share the logic I came with.

doc_flake
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 147
Joined: Fri Mar 21, 2008 9:26 pm
Location: Bad Schwartau / Lubeck, Germany

Re: Author and above can edit every article

Post by doc_flake » Thu Jan 15, 2009 3:52 pm

RysiuM, thank you for your input. I'll be happy to try out your solution but that'll take some time as I'm up to my ears involved with an other urgent project right now. I'll report my results here later on.

User avatar
RysiuM
Joomla! Apprentice
Joomla! Apprentice
Posts: 42
Joined: Thu Jan 08, 2009 6:22 am
Contact:

Re: Author and above can edit every article

Post by RysiuM » Thu Jan 15, 2009 4:23 pm

doc_flake wrote:RysiuM, thank you for your input. I'll be happy to try out your solution but that'll take some time as I'm up to my ears involved with an other urgent project right now. I'll report my results here later on.
When you have time you may look at the "whole pack" of related fixes/hacks posted here in Administrator forum

doc_flake
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 147
Joined: Fri Mar 21, 2008 9:26 pm
Location: Bad Schwartau / Lubeck, Germany

Re: Author and above can edit every article

Post by doc_flake » Tue Jan 20, 2009 10:33 pm

RysiuM, your work is amazing. I applied your well documented hack to my test environment. So far it's running fine and solves all the issues with unauthorized acces I had. I'll give it a few more days before transferring it to our live site, just in case ... Thank you very much!!!

Dear developpers / bug-squad-members,
I would appreciate it, if RysiuM's work would find its way into the next patch!

timcoweb
Joomla! Apprentice
Joomla! Apprentice
Posts: 43
Joined: Thu Dec 22, 2005 2:24 pm
Location: Mobile, AL

Re: Author and above can edit every article

Post by timcoweb » Thu Sep 03, 2009 8:21 pm

I have used this hack...after I changed the coding, the right side of my main content area stopped working. My edit icon and the right side of my JCE editor's links stop resonding. Any ideas why this would happen?

stefan4970
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Tue Aug 18, 2009 9:48 am

Re: Author and above can edit every article

Post by stefan4970 » Wed Oct 14, 2009 2:32 am

Hello,

I have a similar issue: As soon as I assign a registered user to another noixACL group (multigroups) this user is able to edit every article on my page. So it is impossible for me to have users with viewing rights to certain content and writing rights to other content.

Did I miss something in the configurations or is this a bug?

Thanks!

 

Locked

Return to “Security in Joomla! 1.5”