Bug #3000
closedJ2.5: CB User List access only checking one ACL group
Description
Test scenario replicated as follows:
REG-1 and REG-2 groups are created under Registered group in J173
create a REG-1 only viewable CB User Lists and a REG-2 only viewable CB User List
user1 in REG-1 can view CB List REG-1 and cannot view CB User List REG-2
user2 in REG-2 can view CB List REG-2 and cannot view CB User List REG-1
user12 in REG-1 and REG-2 can only view CB List REG-2 (note that REG-2 group is after REG-1 in Joomla ACL list)
Beat mentioned that issue is on line 54 of cb.lists.php
Files
Updated by krileon about 13 years ago
- File 3000.patch added
- Status changed from New to Resolved
- Assignee changed from krileon to beat
- % Done changed from 0 to 100
Access is only checking for top most, it needs to be using cbGetAllUsergroupsBelowMe() so it is properly checking a full access tree.
Updated by krileon about 13 years ago
- File 3000.patch added
- File cb.lists.php added
Updated by krileon about 13 years ago
- File 3000.patch 3000.patch added
- File cb.lists.php cb.lists.php added
Updated by beat almost 13 years ago
- Subject changed from CB User List access only checking one ACL gorup to J2.5: CB User List access only checking one ACL gorup
Updated by beat almost 13 years ago
- Status changed from Resolved to Assigned
- Assignee changed from beat to krileon
- Target version set to CB 1.8
- % Done changed from 100 to 10
- Estimated time set to 2:00 h
r1662 applies patch as proposed, but its buggy
Updated by beat almost 13 years ago
- Assignee changed from krileon to beat
ok, after applying #3038 patch, that works ok.
However "userGID(" is used elsewhere where it will break things too.
Updated by beat almost 13 years ago
- Subject changed from J2.5: CB User List access only checking one ACL gorup to J2.5: CB User List access only checking one ACL group
- Status changed from Assigned to Closed
- % Done changed from 10 to 100
Implemented in r1670 + r1671 as follows: J2.5: Fixed all ACL bugs and added support for Permissions settings, namely bug #3044, completes Joomla 2.5 support: Feature #3179 and Feature #2903 : J1.7: Limiting backend access using joomla 1.7 ACL, and bug #3000 : J2.5: CB User List access only checking one ACL group