#319 open

Bad Permission Checks

Reported by pebcak_error | August 31st, 2011 @ 08:12 AM | in 2.0.1 (closed)

I have a user who is a member and admin of a group called editors. On a page I have a container that has a text module in it. The Group has full permissions to the text module and no permissions to the container.

Referring to file: https://github.com/exponentcms/exponent-cms/blob/master/framework/m...

The permission check fails on a opening div but later passes on the matching closing div. This cause an extra closing div that wreaks havoc on a layout.

First of all the permission checks are do not match. Line 18 does not match the the check on Line 100
Line 18:

{if ($permissions.administrate == 1 || $permissions.edit_module == 1 || $permissions.delete_module == 1 || $permissions.add_module == 1 || $container->permissions.administrate == 1 || $container->permissions.edit_module == 1 || $container->permissions.delete_module == 1)}

Line 100:

{if ($permissions.administrate == 1 || $permissions.edit_module == 1 || $permissions.delete_module == 1 || $permissions.add_module == 1 || $container->permissions.administrate == 1 || $container->permissions.edit_module == 1 || $container->permissions.delete_module == 1 || $container->permissions.configure || $container->permissions.configure == 1)}

Line 70 and 87 are opening/closing tag pairs.
However Line 58 is just {permissions} while Line 85 includes a level. As well, the {if} on Line 59 does not match the {if} on Line 86.

These opening and closing must match, but there is a larger issue as well.

The initial check on Line 18 is looking for $container->permission.bla-bla-bla. However $container is not set until the {foreach} loop on line 52. Its closing tag on line 100 also checks for $container permissions. But since the var is not set (to the last container in the loop) it might pass when. Thus the extra closing div wreaking havoc.

To fix my layout I added the following at the very top.

 {foreach key=key name=c from=$containers item=container}

This should count as a horrible, horrible hack and a better way that checks the permissions of the specific container explicitly rather than whatever was the last container in the foreach.

Comments and changes to this ticket

  • expNinja

    expNinja August 31st, 2011 @ 05:14 PM

    • State changed from “new” to “open”
    • Tag set to permissions
    • Milestone set to 2.0.1
    • Milestone order changed from “83” to “0”

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

Bug Tracker for Exponent CMS

Shared Ticket Bins

People watching this ticket