View Issue Details

IDProjectCategoryView StatusLast Update
0004148Composrcore_permission_managementpublic2020-02-28 15:39
ReporterAdamAssigned ToChris Graham 
Severityminor 
Status resolvedResolutionfixed 
Product Version 
Fixed in Version10.0.31 
Summary0004148: Submit mid-impact (medium visibility) content
DescriptionAs part of providing an answer on the forum, I turned this privilege off for Guest and Members. However, logged in as test I still have access to the News link in CMS Zone, there is no Add button but I get the screen and intro text. I can also append &type=add to load the add screen. The only reason I cannot submit News as a Member is that the category dropdown is empty.
TagsNo tags attached.
Attach Tags
Time estimation (hours)
Sponsorship open

Activities

Chris Graham

2020-02-28 01:17

administrator   ~0006449

Technically I could argue this is not a bug.

Removing submit permission is only going to affect adding, so it's correct the whole CMS module doesn't disappear - maybe there is permission for editing still, or something else.

Permission could instead be removed to the cms_news page or the whole cms zone.

As for the form still being there, there could be permissions overridden on a category level to any of the news categories. As it happens, there aren't, and thus the list is empty. If they try and submit it will say they didn't select a category. Composr isn't going to be linking to that form normally, but it is conceivable for a site with complex permissions to have added custom links to submit to a particular permissive category..

But I do recognise it is messy. It should at least have an error message if there are no categories to select from rather than waiting until form submission. I'll handle it as a 'there are no categories' situation. That's technically not the correct error message, but there's no distinction between "no categories" and "no categories available to you" and I don't want us to have to create one.

admin

2020-02-28 01:20

administrator   ~0006450

Last edited: 2020-02-28 01:20

View 2 revisions

Automated response: Possible to manually go to add news/blog/event URL even with no access

If you have no access to add news/blog-posts/calendar-events, the normal links and icons for doing so will be missing. But you can manually go to the form URL. No categories will be available for selection unless a category has been given overridding privileges to allow submission for that category/categories only.
It's a messy situation, we should not show empty lists that require selection. Show a generic error message instead.

admin

2020-02-28 01:20

administrator   ~0006451

Fixed in git commit 38ab16baf (https://gitlab.com/composr-foundation/composr/commit/38ab16baf - link will become active once code pushed to GitLab)

A hotfix (a TAR of files to upload) has been uploaded to this issue. These files are made to the latest intra-version state (i.e. may roll in earlier fixes too if made to the same files) - so only upload files newer than what you have already. If there are files in a hot-fix that you don't have then they probably relate to addons that you don't have installed and should be skipped. Always take backups of files you are replacing or keep a copy of the manual installer for your version, and only apply fixes you need. These hotfixes are not necessarily reliable or well supported. Not sure how to extract TAR files to your Windows computer? Try 7-zip (http://www.7-zip.org/).

hotfix-4148, 2020-02-28 1am.tar (183,808 bytes)

Adam

2020-02-28 15:39

administrator   ~0006455

From a user perspective, not having links to modules where actions cannot be performed is a good solution that eases any potential confusion. Thanks for the changes.

Issue History

Date Modified Username Field Change
2020-02-25 05:20 Adam New Issue
2020-02-28 01:17 Chris Graham Note Added: 0006449
2020-02-28 01:20 Chris Graham Note Edited: 0006450 View Revisions
2020-02-28 15:39 Adam Note Added: 0006455