Actions

J2.5 talk

Difference between revisions of "Developing a MVC Component/Adding ACL"

From Joomla! Documentation

m (rollback)
(13 intermediate revisions by 8 users not shown)
Line 1: Line 1:
 +
== Checking the permissions on the Server Side ==
 +
 +
The tutorial at the moment of writing is not enforcing the permissions on the server side, allowing a forged request to modify data. (Permissions are only declared and set, but not checked!)
 +
 +
Looking at how this is handled in other components in Joomla I've noticed that:
 +
 +
'''"core.delete"''' is enforced in the model class: ''admin/models/helloworld.php'' by adding these lines:
 +
 +
<source lang='php'>
 +
        /**
 +
        * Method to check if it's OK to delete a message. Overwrites JModelAdmin::canDelete
 +
        */
 +
        protected function canDelete($record)
 +
        {
 +
            if( !empty( $record->id ) ){
 +
                $user = JFactory::getUser();
 +
                return $user->authorise( "core.delete", "com_helloworld.message." . $record->id );
 +
            }
 +
        }
 +
</source>
 +
 +
'''"core.edit"''' (and '''core.add''' if you wish) are enforced in the sub-controller (NOT in the model). I don't know why this is so, but that's how other components do it. You need to add the following lines in the file: ''/admin/controllers/helloworld.php''
 +
 +
<source lang='php'>
 +
 +
    /**
 +
    * Implement to allowAdd or not
 +
    *
 +
    * Not used at this time (but you can look at how other components use this....)
 +
    * Overwrites: JControllerForm::allowAdd
 +
    *
 +
    * @param array $data
 +
    * @return bool
 +
    */
 +
    protected function allowAdd($data = array())
 +
    {
 +
        return parent::allowAdd($data);
 +
    }
 +
 +
    /**
 +
    * Implement to allow edit or not
 +
    * Overwrites: JControllerForm::allowEdit
 +
    *
 +
    * @param array $data
 +
    * @param string $key
 +
    * @return bool
 +
    */
 +
    protected function allowEdit($data = array(), $key = 'id')
 +
    {
 +
        $id = isset( $data[ $key ] ) ? $data[ $key ] : 0;
 +
        if( !empty( $id ) ){
 +
            $user = JFactory::getUser();
 +
            return $user->authorise( "core.edit", "com_helloworld.message." . $id );
 +
        }
 +
    }
 +
 +
</source>
 +
 +
Once you implement the changes above the tutorial should work as intended. (''allowAdd'' should also be implemented to check for category permission at least, but since the author of the tutorial did not add a "core.add" action for the "message" section, I'll leave like it is.
 +
 +
[[User:Ilie.pandia|Ilie Pandia]] ([[User talk:Ilie.pandia|talk]]) 06:08, 11 October 2012 (CDT)
 +
 
Somehow the ACL doesn't work on Edit permission for me. It shows both Save & New and Save as Copy buttons when it has no create rights. Gone through the code twice, but cannot see anything wrong with it... Anybody else have same problem? --[[User:A2Ggeir|A2Ggeir]] 10:19, 6 December 2010 (UTC)
 
Somehow the ACL doesn't work on Edit permission for me. It shows both Save & New and Save as Copy buttons when it has no create rights. Gone through the code twice, but cannot see anything wrong with it... Anybody else have same problem? --[[User:A2Ggeir|A2Ggeir]] 10:19, 6 December 2010 (UTC)
  
Line 22: Line 84:
  
 
--[[User:A2Ggeir|A2Ggeir]] 12:02, 7 December 2010 (UTC)
 
--[[User:A2Ggeir|A2Ggeir]] 12:02, 7 December 2010 (UTC)
 +
 +
== Delet dosn't work ==
 +
 +
when you want to delete a message it goes wrong and the message appears:
 +
 +
500 - Es ist ein Fehler aufgetreten
 +
 +
Layout „default“ nicht gefunden
 +
 +
 +
downt know why its not working... maybee some can check this out.
 +
 +
Greetz
 +
 +
-------------------------------------------------------------------------------
 +
 +
Ok, so I have carefully followed the tutorial to here. What I need to know now is HOW do I allow a user who only has edit.own rights to get to the admin edit for the component??
 +
 +
I tried for a while to create an edit page on the front end, but no luck and no help. It occurred to me that perhaps if I could not bring the mountain to Mohammed, I could get Mohammed access to the mountain. But how to do it without making every user an administrator? Even a manager has too much other access.
 +
<p>
 +
 +
[[User:IslandBilly|&quot;In theory, there&#39;s no difference between theory and practice; in practice, there is&quot;  --Yogi Berra]] 10:14, 12 November 2011 (CST) Using v1.7
 +
 +
--------------------------------------------------------------------------------
 +
I think that this example is missing something in the bind method.
 +
 +
        // Bind the rules.
 +
        if (isset($array['rules']) && is_array($array['rules']))
 +
        {
 +
            $rules = new JAccessRules($array['rules']);
 +
            $this->setRules($rules);
 +
        }
 +
If we don't bind the rules then they are not saved in the asset table for the message/item...
 +
 +
 +
==Missing asset_id field==
 +
 +
I think database table is missing field "asset_id", which is required. Watch this link here.
 +
 +
https://www.joomlajingle.com/blog/39-joomla-acl-for-developers
 +
 +
[[User:Vipantonio|Vipantonio]] 06:19, 9 August 2012 (CDT)

Revision as of 07:13, 11 October 2012

Checking the permissions on the Server Side

The tutorial at the moment of writing is not enforcing the permissions on the server side, allowing a forged request to modify data. (Permissions are only declared and set, but not checked!)

Looking at how this is handled in other components in Joomla I've noticed that:

"core.delete" is enforced in the model class: admin/models/helloworld.php by adding these lines:

        /**
         * Method to check if it's OK to delete a message. Overwrites JModelAdmin::canDelete
         */
        protected function canDelete($record)
        {
            if( !empty( $record->id ) ){
                $user = JFactory::getUser();
                return $user->authorise( "core.delete", "com_helloworld.message." . $record->id );
            }
        }

"core.edit" (and core.add if you wish) are enforced in the sub-controller (NOT in the model). I don't know why this is so, but that's how other components do it. You need to add the following lines in the file: /admin/controllers/helloworld.php

    /**
     * Implement to allowAdd or not
     *
     * Not used at this time (but you can look at how other components use this....)
     * Overwrites: JControllerForm::allowAdd
     *
     * @param array $data
     * @return bool
     */
    protected function allowAdd($data = array())
    {
        return parent::allowAdd($data);
    }
 
    /**
     * Implement to allow edit or not
     * Overwrites: JControllerForm::allowEdit
     *
     * @param array $data
     * @param string $key
     * @return bool
     */
    protected function allowEdit($data = array(), $key = 'id')
    {
        $id = isset( $data[ $key ] ) ? $data[ $key ] : 0;
        if( !empty( $id ) ){
            $user = JFactory::getUser();
            return $user->authorise( "core.edit", "com_helloworld.message." . $id );
        }
    }

Once you implement the changes above the tutorial should work as intended. (allowAdd should also be implemented to check for category permission at least, but since the author of the tutorial did not add a "core.add" action for the "message" section, I'll leave like it is.

Ilie Pandia (talk) 06:08, 11 October 2012 (CDT)

Somehow the ACL doesn't work on Edit permission for me. It shows both Save & New and Save as Copy buttons when it has no create rights. Gone through the code twice, but cannot see anything wrong with it... Anybody else have same problem? --A2Ggeir 10:19, 6 December 2010 (UTC)

Did a little debug and it seems the values from function canDo() in Helper does not return the right values when it is in edit view.

Result when in listview:

  'core.admin' => NULL,
  'core.manage' => true,
  'core.create' => false,
  'core.edit' => true,
  'core.delete' => false,

Result when in editview:

  'core.admin' => NULL,
  'core.manage' => NULL,
  'core.create' => true,
  'core.edit' => true,
  'core.delete' => true,

--A2Ggeir 12:02, 7 December 2010 (UTC)

Delet dosn't work

when you want to delete a message it goes wrong and the message appears:

500 - Es ist ein Fehler aufgetreten

Layout „default“ nicht gefunden


downt know why its not working... maybee some can check this out.

Greetz


Ok, so I have carefully followed the tutorial to here. What I need to know now is HOW do I allow a user who only has edit.own rights to get to the admin edit for the component??

I tried for a while to create an edit page on the front end, but no luck and no help. It occurred to me that perhaps if I could not bring the mountain to Mohammed, I could get Mohammed access to the mountain. But how to do it without making every user an administrator? Even a manager has too much other access.

"In theory, there's no difference between theory and practice; in practice, there is" --Yogi Berra 10:14, 12 November 2011 (CST) Using v1.7


I think that this example is missing something in the bind method.

       // Bind the rules.
       if (isset($array['rules']) && is_array($array['rules']))
       {
           $rules = new JAccessRules($array['rules']);
           $this->setRules($rules);
       }

If we don't bind the rules then they are not saved in the asset table for the message/item...


Missing asset_id field

I think database table is missing field "asset_id", which is required. Watch this link here.

https://www.joomlajingle.com/blog/39-joomla-acl-for-developers

Vipantonio 06:19, 9 August 2012 (CDT)