Welcome, Guest
Username: Password: Remember me

TOPIC: ACL - Can't add unless user has Global Create

ACL - Can't add unless user has Global Create 01 Dec 2012 13:53 #5697

  • gdpodesta
  • gdpodesta's Avatar
  • Offline
  • Senior Member
  • Posts: 75
  • Thank you received: 8
  • Karma: 2
We sell our educational material to universities, and the librarians do the purchasing. I've got 4 kinds of users:
Registered
  - Customers
    - Librarians
    - Professors
  1. Visitors must become Registered users to view prices
  2. If they make a purchase, they become a Librarian
  3. Librarians create users that are Professors
  4. Librarians and Professors are Customers to be able to see "customer stuff", regardless of their role
My component has a view that is visible to the Librarian,which allows them to add to the my_professors table, and creates a Joomla account for that professor. This works when logged in as Administrator.

When logged in as a Librarian, the only way that I've been able to make the "New" button appear is by giving them Global Create permission. In this case, the New button appears, but the Librarian is now able to submit new content to the site with the Joomla Content component (This, of course, is not desirable).

If I set the permissions on my component to all "Create = Allowed" for Librarians, shouldn't they be able to add within my component, but not on the site in general? :huh:

In short, setting Permissions in my component has zero effect - I've tried giving all permissions to all users through the admin of my component, and it makes no difference.
Last Edit: 01 Dec 2012 14:04 by gdpodesta. Reason: Additional testing result
The administrator has disabled public write access.

Re: ACL - Can't add unless user has Global Create 01 Dec 2012 16:26 #5699

  • gdpodesta
  • gdpodesta's Avatar
  • Offline
  • Senior Member
  • Posts: 75
  • Thank you received: 8
  • Karma: 2
The new Joomla ACL has a steep learning curve compared to earlier versions :S . I believe I've answered my own question with this understanding:
  1. If a user needs a particular privilege such as "Create" rights in any given component, then they must first have it Globally.
  2. Subsequently, each component may then override it for that component with it's own permission settings
.
If that is true, then the above should work for my component, but I must remove those Global rights at the Component level anywhere that I do not want them to Create items (such as com_content). :unsure:
Last Edit: 01 Dec 2012 16:28 by gdpodesta.
The administrator has disabled public write access.
The following user(s) said Thank You: admin

Re: ACL - Can't add unless user has Global Create 02 Dec 2012 21:41 #5748

  • admin
  • admin's Avatar
  • Offline
  • Administrator
  • Chef
  • Posts: 3702
  • Thank you received: 978
  • Karma: 141
Yes, exactly.
Good analysis, clearly undersantable for visitors.

I got this problem in sandboxes as well, and it was a pain in the ass, so at the end I had to hack the joomla core, for security reasons.

It is missing something like 'force' authorization in ACL.

In my hands, I understood the same. But maybe wrong. I am not a guru.
All inputs are welcome on this subject.

K+1
Coding is now a piece of cake
The administrator has disabled public write access.
Time to create page: 0.087 seconds

Get Started