Skip to content

[5.4] check ACL when display link to user edit form#46805

Open
heelc29 wants to merge 6 commits intojoomla:5.4-devfrom
heelc29:5.4/checkacl-usereditlink
Open

[5.4] check ACL when display link to user edit form#46805
heelc29 wants to merge 6 commits intojoomla:5.4-devfrom
heelc29:5.4/checkacl-usereditlink

Conversation

@heelc29
Copy link
Contributor

@heelc29 heelc29 commented Jan 31, 2026

Pull Request for Issue from @chmst #pbf26

Summary of Changes

Checks the ACL (Access Control List) to decide whether to display a link or just the name.

Testing Instructions

  • login as an user who belongs to Manager group
  • view article or contact list and click on an user (which is not a super user) and click on it
image image
  • then login as superuser and change permission of user component for manager group; allow: Access Administration Interface and deny: Edit
image
  • login as an user who belongs to manager group again and click link again

Actual result BEFORE applying this Pull Request

1st try
image

2nd try
image

Expected result AFTER applying this Pull Request

name of user is only displayed - no link anymore
image
image

Link to documentations

Please select:

  • No documentation changes for docs.joomla.org needed
  • No documentation changes for manual.joomla.org needed

@richard67 richard67 mentioned this pull request Jan 31, 2026
Closed
4 tasks
@exlemor
Copy link

exlemor commented Jan 31, 2026

I have tested this item ✅ successfully on 67d7f2b

I have tested this successfully - thank you @heelc29!

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46805.

@ChristineWk
Copy link

ChristineWk commented Feb 1, 2026

I have tested this item ✅ successfully on 67d7f2b

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46805.

1 similar comment
@krishnagandhicode
Copy link

krishnagandhicode commented Feb 1, 2026

I have tested this item ✅ successfully on 67d7f2b

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46805.

@richard67 richard67 added the RMDQ ReleaseManagerDecisionQueue label Feb 1, 2026
@richard67
Copy link
Member

richard67 commented Feb 1, 2026

RTC

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46805.

@joomla-cms-bot joomla-cms-bot added the RTC This Pull Request is Ready To Commit label Feb 1, 2026
@richard67 richard67 added bug and removed RMDQ ReleaseManagerDecisionQueue labels Feb 1, 2026
@richard67 richard67 added this to the Joomla! 5.4.3 milestone Feb 1, 2026
@muhme
Copy link
Contributor

muhme commented Feb 3, 2026

❌ Final test before merge with JBT

  • Installed Blog Sample Data, Created manager, editor, to-be-deleted users, Created 3 contacts with linked users, created articles as users manager, editor, to-be-deleted, deleted the to-be-deleted user entry
  • Seen 403 before in articles view and contacts and with user component permissions Edit Denied
  • Applied PR with Patch Tester
  • ✅ Articles/Contacts as Super User all Authors/Linked User entries are still linked names and the links are working
  • ✅ '[ None ]' is still displayed for deleted user entry
  • ✅ Articles/Contacts as manager other Authors/Linked User entries are only names and no more links
  • ❌ Articles/Contacts as manager: The user's own entry is no longer linked; previously, the user's own entry was linked and opening the user entry worked in Articles/Contacts
  • Changed user component permissions Edit Denied
    • ✅ Articles/Contacts as manager all Authors/Linked User entries are only names and no more linked

@muhme
Copy link
Contributor

muhme commented Feb 3, 2026

@heelc29 Thank you for your contribution. In final testing I found with user component permissions edit enables, the user's own entry is no longer linked. Before the PR, the user's own entry was linked and opening the user entry worked in Articles and Contacts. Could you please check?

@muhme muhme removed their assignment Feb 3, 2026
@muhme muhme added Updates Requested Indicates that this pull request needs an update from the author and should not be tested. and removed RTC This Pull Request is Ready To Commit labels Feb 3, 2026
@heelc29
Copy link
Contributor Author

heelc29 commented Feb 4, 2026

@heelc29 Thank you for your contribution. In final testing I found with user component permissions edit enables, the user's own entry is no longer linked. Before the PR, the user's own entry was linked and opening the user entry worked in Articles and Contacts. Could you please check?

Yes, you're right. There's an exception for this in the com_user dispatcher. I will update the check.

joomla-cms/administrator/components/com_users/src/Dispatcher/Dispatcher.php

Lines 40 to 48 in 3fad048

// Allow users to edit their own account
if (\in_array($task, $allowedTasks, true) || ($view === 'user' && $layout === 'edit')) {
$user = $this->app->getIdentity();
$id = $this->input->getInt('id');
if ((int) $user->id === $id) {
return;
}
}

@joomla-cms-bot joomla-cms-bot added the RTC This Pull Request is Ready To Commit label Feb 4, 2026
joomdonation
joomdonation reviewed Feb 4, 2026
View reviewed changes
administrator/components/com_contact/tmpl/contacts/default.php Outdated
<td class="small d-none">
<?php if (!empty($item->linked_user)) : ?>
<a href="<?php echo Route::_('index.php?option=com_users&task=user.edit&id=' . $item->user_id); ?>"><?php echo $item->linked_user; ?></a>
<?php if ($user->id === $item->user_id || ($user->authorise('core.manage', 'com_users') && $user->authorise('core.edit', 'com_users'))) : ?>
Copy link
Contributor

@joomdonation joomdonation Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I remember that although the field has int data type, the data returns from database for the field could be int or string, depends on database system. So to be safe, I think you should use == instead of === operator here.

@richard67 richard67 removed this from the Joomla! 5.4.3 milestone Feb 4, 2026
@richard67
Copy link
Member

richard67 commented Feb 5, 2026

Back to pending as changes have been requested.

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/46805.

@joomla-cms-bot joomla-cms-bot removed the RTC This Pull Request is Ready To Commit label Feb 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@joomdonation joomdonation joomdonation left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

bug PR-5.4-dev Updates Requested Indicates that this pull request needs an update from the author and should not be tested.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

8 participants

@heelc29 @exlemor @ChristineWk @krishnagandhicode @richard67 @muhme @joomdonation @joomla-cms-bot