Joomla ACl problems - joomla

I've written a component for Joomla 2.5. It works great. However I'm having access control issues. The component manages documents. It allows clients to upload them, tag them, search etc. All this works fine. The user needs to be looged in to the system to be able to view, edit and delete documents.
Unfortunately whilst the system restricts editing and deleting it doesn't seem to restrict viewing. It doesn't restrict the view to logged in users only. If you type the component url for a document directly into the browser bar it loads up the view:
http://www.mydomain.com/component/document_managment/1.html?view=document
I've searched around and can't find anything that helps. Any ideas about what I might have done wrong?

I am assuming you already have a complete ACL implemented, i.e. there is an asset column in the documents table, and you have an access.xml with some ACL rules defined i.e.
<section name="component">
<action name="core.admin" title="JACTION_ADMIN" description="JACTION_ADMIN_COMPONENT_DESC" />
...
You want to add core.view and core.view.own ACL rules in the access.xml (which is typically in your administrator-component root).
<action name="core.view" title="View all documents"
<action name="core.view.own" title="View own documents"
In the component configuration, assign privileges to the users so super users can view all (managers have core.view privilege) and every registered user has core.view.own
In the view.html or -even better- in the model, you test for the privileges before loading any data:
$user = JFactory::getUser();
$id = $app->input->getInt('id') // load the document id
$canView = false;
if($id){
$canView = $user->authorise('core.view', 'com_yourcomponent.document') ||
$user->authorise('core.view.own', 'com_yourcomponent.document.'.$id);
}

Related

Laravel menu based on role?

i have codeigniter background. Now, i'm learning about laravel. So, i'm in this condition (Example), I'm trying to create a webapp, which has multiple users. The UsersType A , they can access menu a, menu b & menu c and UsersType B they only can access Menu a.
Now, i'm using https://github.com/lavary/laravel-menu . Well, if it's only have two types , i can write it manually. But, what if there are five types of user or more.
When i'm using codeigniter. I create 4 table Users , UsersType , Menu & MenuAccess. You must be understand how it's work. I just, play it with query then i show it.
UsersType (Users) -> TypeId (UsersType) -> MenuId (MenuAccess) -> MenuId (Menu)
I already use google and I found this https://github.com/Zizaco/entrust but what i can see from that package. It's only give the permission on the action (input,edit & delete)
So, Can i do my codeigniter way in my laravel ? Save my routes properties than show it in my rouotes/web.php (I don't know if it possible, haven't try it yet). sorry for my english.
What I would do is put a function in the User class which checks it's own permission and then returns a view which contains the menu that user has access to.
public function menu()
{
switch($this->role) {
case 'admin':
return view('menus.admin');
[etc]
}
}
Then in the view just check if the user is logged in and show the menu:
#if Auth::check()
{{ Auth::user->menu() }}
#endif
As mentioned in the comments,it sounds like what you want is the ability to conditionally display content based on whether a user has certain permissions.
There's a number of implementations of this. Essentially what they all do is store permissions that can be granted to users, and optionally store roles that allow permissions to be assigned to a role and then users can be given that role, automatically granting them the permissions associated with that role.
I've found spatie/laravel-permission which appears to be quite good. Then, if you pass your user model into the view, you can do something like this:
#if ($user->can('edit-posts'))
<a>Edit post</a>
#endif
That should be flexible enough that it can be reused for different permissions too. If that doesn't do the trick, then it's not hard to roll your own permission system using Laravel's authorization system and you should be able to use the can() method in the same way.

How to create user-specific content in Joomla! 3.0?

I need to create a User-Specific content page, I have registered users and I need to create a module/page/menu/feed or whatever that displays articles that are for only one or some users.
For example, in my site, I show to public some projects (articles redacted as some architecturing project) for example: news, finished projects, etc, some people register and can access to other content that is intended for registered users, for example: new projects that only registered clients would be interested, so far, I managed to make this work, but now, I have work that is for a specific user and he/she only can see it in his/her feed, for example: status of their project made by us, some galleries with photos of the work in progress, etc.
So, This feed must be a module/page/menu that shows articles with a specific category and for registered users. But I want to be able to post an article that is only intended for a specific user or a set of users and shows in this feed (module) or at least a whole new module that shows user-specific content without having to create a category and an access level for each user.
Is there an extension or plug-in that helps me do this?
you need to make do two things:
Make a new user-group (Users->User group) as a sub-group of
registered. Add the users that need the special permission to this
group.
Make a new access-level (Users->access-levels) and add you
new user-group to this access level
Set the access-level on the article(s) that you want to restrict access on.
The module should check the access-level before it displays it to the users, and only display the restricted articles to those that have the correct privileges.
The system don't really support what you ask for, but you could use the following setup:
Make a content-plugin (http://docs.joomla.org/J2.5:Creating_a_content_plugin). In the event onContentPrepareForm, you modify the created_by_alias-field to use it for your special user allowed to view this content article.
function onContentPrepareForm($form, $data){
// first check that context is right
// Then change the type of the field. This should allow to select
// the user when you create the article.
$form->getField('created_by_alias')->__set('type', 'user');
}
In the event onContentPrepareData, check if the data in the created_by_alias references a valid user in the user group your users shoud be in
public function onContentPrepare($context, $article, $params, $page){
// first check that context is right
//Then fetch the user data:
if(is_int($article->created_by_alias)){ // ( Optionally check if the article is in a specific category )
$db=JFactory::getDbo();
$currentuser=JFactory::getUser();
$allowedgroup=2; // the registered users group
$sql="select u.id from #__users inner join #__user_usergroup_map ug (u.id=ug.user_id) where ug.group_id={$allowedgroup}";
$db->setQuery($sql);
$user=$db->loadObject();
if($user->id==$currentuser){
$data->user=$user;
}
else{
//Unset the article content to prevent unothorized users from seeing the content.
unset($article);
}
}
Finally, create a module (http://docs.joomla.org/Creating_a_simple_module) that feeds articles for a particular user, containing at least:
$list=array();
$user=Jfactory::getUser();
if($user->id>0){
$sql="select * from #__content where created_by_alias={$user->id}";
// ( also add sql to check that the user has access,
// the article is published, the correct category etc)
$db=Jfactory::getDbo();
$db->setQuery($sql);
$list=$db->loadObjectList();
if(!count($list)) return;
}
else return;
print_r($list); // Prints the content articles
This scheme should protect unauthorized users from viewing the content of the articles ment for a specific user. The module should (after nicely outputting what you want to display) display a list of articles for the logged inn user. The module can link to the article in the normal way, and the authorized user will have access. So it should be "safe enough", and provide the functionality you need without too much hassle.
I'll try anotherone here:
You could just install a messageing system on your site. UddeIM is one such system. This will allow you to make specific content for your users. UddeIM can be configured so only administrators can send messages. There is also some modules for this component to show latest messages etc.

Joomla progressive cache doesn't handle modules with variable output

I have a module which allows the user to choose a category, which is then used for filtering the component's output. So when the user first clicks on the menu item, the view shows items from all categories, then as they click on the module, a param such as &catid=69 etc. is added to the url and used to filter the items displayed.
A system plugin complements the behaviour by registering the extra catid param i.e.
$registeredurlparams->catid = 'INT';
$app->set('registeredurlparams', $registeredurlparams);
The module uses the category id to create the cache id, and shows the top-level categories + the subcategories of the category that was chosen.
This works fine with both conservative cache enabled in the system configuration and the System Cache plugin enabled.
My concern is that I cannot get it to work with progressive cache: even though the component output is cached correctly, the module doesn't get updated (so I never see the subcategories).
Eventually I plan to make the extension available on the JED, and I'd like to be compatible with all possible cache configurations. Is there any possibility to force the progressive cache to add the parameters I want to the cache id?
Workarounds such as sending the full category tree and doing it with ajax will not be accepted.
One thing you could look at is ContentModelArticle in the back end. You will notice that cleanCache()
forcibly clears the content modules that could be impacted by a save or create.
protected function cleanCache($group = null, $client_id = 0)
{
parent::cleanCache('com_content');
parent::cleanCache('mod_articles_archive');
parent::cleanCache('mod_articles_categories');
parent::cleanCache('mod_articles_category');
parent::cleanCache('mod_articles_latest');
parent::cleanCache('mod_articles_news');
parent::cleanCache('mod_articles_popular');
}
I've always thought this was a sledge hammer/kludge since it doesn't let the webmaster control whether or not to do this, but you could do something along the lines of making a custom cleanCache() for your model.

Extending Joomla 2.5 Banner Component

I really hope someone can help me.
I need to be able to serve banners in categories which are dependant on a session variable - and can't find a component which does that. So I'd like to extend the Joomla Banner component in order to select banners based on a session variable which contains the category path.
The correct session variable is being stored correctly.
In order to do this I added an option in the banners module .xml to allow for a session variable and the name of the session variable. This is being stored correctly in the module table within the params field along with the other module parameters.
Then I started on the
components > banners > com_banners > models > banners.php
by adding two lines of code in getListQuery where the SQL is assembled. They are:
$sess_vars = $this->getState('filter.sess_vars');
$sess_vars_name = $this->getState('filter.sess_vars_name');
But both variables contain nothing even though the ones the component already has can be retrieved fine. Without a doubt I need to change something somewhere else as well - but just can't figure out what to do.
Any help would be greatly appreciated.
The first thing to do is not hack the core files, hacking the core prevents you from using the built-in update feature to apply the regular bug fixes and security patches released by Joomla! (e.g. the recently released 2.5.9 version).
Rather make a copy of them and modify it so it's called something else like com_mybanners. Apart from the folder name and the entry point file (i.e. banners.php becomes mybanners.php) you will also want to update the components banners.xml to mybanners.php.(You will need to duplicate and modify both the front end /components/com_banners/ and /administrator/components/mybanners.php.)
Because of the way Banners work (i.e. banners are displayed in a module) you will also need to duplicate and modify /modules/mod_banners/,/modules/mod_banners/mod_banners.php and /modules/mod_banners/mod_banners.xml. Changing mod_banners to mod_mybanners in each location.
In Joomla! components the state is usually populated when JModel is instantiated, however, in this case the component is really about managing banners and recording clicks the display is handled by mod_banners. So, you will want to add some code to mod_mybanners.php to use the session variables you want to act on. Normally when a models state is queried you will collect the variables via JInput and add them to your object's state e.g.
protected function populateState()
{
$jApp = JFactory::getApplication('site');
// Load state from the request.
$pk = $jApp->input->get('id',0,'INT');
$this->setState('myItem.id', $pk);
$offset = $jApp->input->get('limitstart',0,'INT');
$this->setState('list.offset', $offset);
// Load the parameters.
$params = $app->getParams();
$this->setState('params', $params);
// Get the user permissions
$user = JFactory::getUser();
if ((!$user->authorise('core.edit.state', 'com_mycomponent')) && (!$user->authorise('core.edit', 'com_mycomponent')))
{
$this->setState('filter.published', 1);
$this->setState('filter.archived', 2);
}
}
The populateState() method is called when a state is read by the getState method.
This means you will have to change your copy of /components/com_banners/models/banner.php to capture your variables into the objects state similar to my example above.
From there it's all your own code.
You can find all of this information in the Developing a Model-View-Controller tutorial on the Joomla Doc's site

Displaying specific content to specific user in Joomla 1.5

To be short, It's a website for an investigations lab.
I need to display specific content (lab report) to specific user. Users will be given a username and a password when leaving and will be asked to login on the website to access his/her report with the credentials given to him.
So , it's a "specific content" for "specific user" - Moving to 1.6 is not an option.
I have a solution in mind but involve a lot of core hacking and will take some time ... If any one been in a similar situation or have an idea in mind I would appreciate your help.
Ok, this can be done but it's going to take a little trickery to get there. First, you are going to need a way to post the lab reports and associate them with a user. I would use K2 for this since you can add the report as an attachment to an item. You can also add extra fields to K2, which would be the next step. You'll need an extra field where you can enter a user ID number that you will use to determine if a user is allowed to view the content.
There are several steps you will need to take to now filter the content so only the associated user can see it.
You will need to get the user ID once the user is logged in:
$user =& JFactory::getUser();
$usr_id = $user->get('id');
You'll need a menu item that links to a K2 Category where all the lab reports go.
You'll need a subtemplate with a modified category_item.php for that category that only displays the associate reports:
if($this->item->extra_fields[USER_ID_EXTRA_FIELD_NAME]==$usr_id){
all the category item stuff
}
You'll need a subtemplate with a modified item.php for the category that again blocks users other than the associated user, basically the same code as #3 to either display the content or an error message.
The only other way I can think of that you can accomplish this would be to use an ACL component with a group for each user.
The K2 method with subtemplates would not require any core hacks and will work with a little work.
You can achieve what you want with Flexicontent http://www.flexicontent.org/ and Flexiaccess
Flexicontent is a K2 type component and I use them interchangeably. With Flexiaccess you can create items that are only available to certain users.
No hacks required.
Bad News: That cant be done with standard Joomla 1.5 (without hacking)
Good News: You can use one of the free or commercial Extensions for Joomla to accomplish that. I would suggest for example:
Admin-User-Access
http://extensions.joomla.org/extensions/access-a-security/backend-a-full-access-control/9040
Or you can search for yourself:
http://extensions.joomla.org/extensions/access-a-security/backend-a-full-access-control

Resources