search

joomla / joomla-cms

Home of the Joomla! Content Management System
https://www.joomla.org
GNU General Public License v2.0
4.69k stars 3.63k forks source link

[5.0] functions allowAdd is looking for filter_category_id that does not exist anymore. #43217

Open peter1szalatnay opened 3 months ago

peter1szalatnay commented 3 months ago

Steps to reproduce the issue

Noticed when filtering on category in the articles view and click add on a category were users should not have permission to create an article, they can still do it.

In Joomla 3 the hathor template had all the filter fields hard coded in the template files with filter_category_id, but Joomla 5 is using the filter_articles.xml and the filter name has changed from filter_category_id to category_id.

A quick search in the source for filter_category_id show Banners, Articles and Newsfeeds are affected by the same issue.

  1. Create a category and remove create permission from test user
  2. In Articles view filter on previously created category
  3. Create an Article

Expected result

User should not be able to create an article from a filtered category where they do not have create access.

Actual result

User can create an article in the articles view when category filter is enabled.

System information (as much as possible)

Joomla 5.0

Additional comments

There are more legacy filter code left in article model from hathor template. All the filters in the populateState is not required anymore as there is new code in ListModel to take care of it.

brianteeman commented 3 months ago

I am unable to replicate this. What am I missing?

I created a category (cat1) I set the create permissions for manager to deny I created a user (testing) with the level manager so that this user does not have create permission for the category (cat1) I logged in as that user (testing)

I created a new article and the category select does not show cat1 so I cannot save in cat1

I display the list of articles and filter by the forbidden category (cat1) I clcik new article and the article edit opens with the category preselected as cat1 I try to save the article - save not permitted

peter1szalatnay commented 3 months ago

It should already fail when you try to add the article, and not allow the edit view.

https://github.com/joomla/joomla-cms/blob/be506c0a331698a2119a6baf4e23b9d339afe93a/administrator/components/com_content/src/Controller/ArticleController.php#L143

Just remove legacy hathor way of doing things, and move to how it should work.

brianteeman commented 3 months ago

you stated that you can create an article in a category where you do not have permission to do so. I cannot replicate that. I'm not going to waste my time any further

Flowman commented 2 months ago

@brianteeman always an pleasure to deal with you.

Looks like @Hackwar removed the legacy filter https://github.com/joomla/joomla-cms/pull/43230

@Hackwar maybe you can add 2 line of code to fix this issue

$filters = $this->input->get('filter', [], 'array');
$categoryId = \array_key_exists('category_id', $filters) ? reset($filters['category_id']) : ArrayHelper::getValue($data, 'catid', null, 'int');

Or just remove the whole thing as the filters can be an array and how do we know for which one to take.

brianteeman commented 2 months ago

image

Looks like @Hackwar removed the legacy filter https://github.com/joomla/joomla-cms/pull/43230

That is proposed for 5.2