Project

General

Profile

Actions

Bug #3000

closed

J2.5: CB User List access only checking one ACL group

Added by nant about 13 years ago. Updated almost 13 years ago.

Status:
Closed
Priority:
Immediate
Assignee:
Target version:
Start date:
26 November 2011
Due date:
26 November 2011
% Done:

100%

Estimated time:
2:00 h

Description

Test scenario replicated as follows:

REG-1 and REG-2 groups are created under Registered group in J173
create a REG-1 only viewable CB User Lists and a REG-2 only viewable CB User List
user1 in REG-1 can view CB List REG-1 and cannot view CB User List REG-2
user2 in REG-2 can view CB List REG-2 and cannot view CB User List REG-1
user12 in REG-1 and REG-2 can only view CB List REG-2 (note that REG-2 group is after REG-1 in Joomla ACL list)

Beat mentioned that issue is on line 54 of cb.lists.php


Files

3000.patch (1.26 KB) 3000.patch krileon, 29 November 2011 15:49
cb.lists.php (20.3 KB) cb.lists.php krileon, 29 November 2011 15:49

Related issues 1 (0 open1 closed)

Follows CB - Bug #3038: J2.5: get_user_permission not checking full access treeClosedbeat25 November 2011

Actions
Actions #1

Updated by nant about 13 years ago

  • Assignee set to krileon
Actions #2

Updated by krileon about 13 years ago

  • File 3000.patch added
  • Status changed from New to Resolved
  • Assignee changed from krileon to beat
  • % Done changed from 0 to 100

Access is only checking for top most, it needs to be using cbGetAllUsergroupsBelowMe() so it is properly checking a full access tree.

Actions #3

Updated by krileon about 13 years ago

  • File deleted (3000.patch)
Actions #4

Updated by krileon about 13 years ago

  • File 3000.patch added
  • File cb.lists.php added
Actions #5

Updated by krileon about 13 years ago

  • File deleted (3000.patch)
Actions #6

Updated by krileon about 13 years ago

  • File deleted (cb.lists.php)
Actions #8

Updated by beat almost 13 years ago

  • Subject changed from CB User List access only checking one ACL gorup to J2.5: CB User List access only checking one ACL gorup
Actions #9

Updated by beat almost 13 years ago

  • Status changed from Resolved to Assigned
  • Assignee changed from beat to krileon
  • Target version set to CB 1.8
  • % Done changed from 100 to 10
  • Estimated time set to 2:00 h

r1662 applies patch as proposed, but its buggy

Actions #10

Updated by beat almost 13 years ago

  • Priority changed from Normal to Immediate
Actions #11

Updated by beat almost 13 years ago

  • Assignee changed from krileon to beat

ok, after applying #3038 patch, that works ok.

However "userGID(" is used elsewhere where it will break things too.

Actions #12

Updated by beat almost 13 years ago

  • Subject changed from J2.5: CB User List access only checking one ACL gorup to J2.5: CB User List access only checking one ACL group
  • Status changed from Assigned to Closed
  • % Done changed from 10 to 100

Implemented in r1670 + r1671 as follows: J2.5: Fixed all ACL bugs and added support for Permissions settings, namely bug #3044, completes Joomla 2.5 support: Feature #3179 and Feature #2903 : J1.7: Limiting backend access using joomla 1.7 ACL, and bug #3000 : J2.5: CB User List access only checking one ACL group

Actions

Also available in: Atom PDF