#607 Posted in ‘Econa’

Latest post by Lefteris Kavadas on Monday, 02 November 2020 11:46 EET

Jip JJ Jonker
Hi!

We have an econa custom fields field added to an article category. When we create a usergroup in Joomla and give this group access to only one specific article category (news) and not to other article categories AND we set the access to the econa field to let the user edit the value of the field we get an error 'Access denied' when trying to upload an image.

We use ACL manager to mange the user rights. When we only set access to the news article category this issue is present. But when we add access to all articles (and then exclude all categories but 'news') the issue is gone. So I guess the econa fields plugin checks for permission on the component level and not on the actual category beneath the component?

Is would be best (I think) that the Econa plugin checks the access level of the specific category and of course the rights on the field itself.

If we add other custom fields to the news article there are no issues with the setup / rights to be able to edit / save the field. As far as I can tell this happens only with the econa custom fields plugin.

I hope you understand my issue ;-)

Kind regards,
Jip

Jip JJ Jonker
Screenshots rights setup using ACL manager:

https://inxpactdrive.nl/s/hKjANBK6poPhEjyE
https://inxpactdrive.nl/s/Uhkzkd2WTuuGP5Vc

Lefteris Kavadas
Hi Jip,

Econa is uploading the image with an asynchronous request. In that phase we check that the user that tries to upload the image has the permissions to create or edit articles globally. So I assume this is why the one setup works and the other doesn't. We need to think of a different way to implement this in order to cover cases like yours.

Regards

Jip JJ Jonker
Hi Lefteris,

Do you think you can change the way this works in a future update? We ran into the same issue again with a different site. I eventually Googled it and found my own ticket here to get it sorted out ;-)

We added global permissions to the article edits. Then we disabled it for all categories we did not want to include. This does fix this for now, but it would be better to just check the 'edit custom field' permissions only. Or just the article category rights the article is in?

Hope you can find a good solution for this.

Kind regards,
Jip


Lefteris Kavadas
Hi Jip,

The problem is that during the upload we cannot know which field the upload concerns. So checking only the "edit custom field" globally seems like a good solution for this. But again this is just another assumption like the one I did when I added the check for the create\edit articles permission. Maybe checking the core media manager permissions is also an option even though it will make it even more complex for the simple user.
Really don't know yet. Thank you for your suggestions.

Regards

Jip JJ Jonker
Hi Lefteris,

We are still struggling with this on one of our sites. We have a bit more complex setup for the usergroups and can not get this done right when we have to globally allow groups to edit or create articles.

So I hope you can figure out a way to let us give right to an econa field without needing to have global right on articles.

Maybe not checking these article permissions at all would fix this so we only need to set access for the custom field.

Or alternatively a check on the article category would also help us out, in stead of using the global article settings. In the custom filed we can assign the custom field to a specific category so this won't show up on articles you don't want / need the custom field. So this is already a rights choice of sorts. So checking the global edit right is not needed?

Or alternatively a check on only the specific article category in stead of the global right would help. this way we don't have to globally allow edit / create and the disallow most subcategories individually. because this causes issues when you have a user n multiple groups.

Kind regards,
Jip


Lefteris Kavadas
Hi Jip,

I thought the issue was just with custom field and I have already modified the plugin to just check the edit field value permission.
I will send you an email with the development version. Please let me know if that solves the issue.

Regards

Jip JJ Jonker
Hi!
Sorry for my late response. It has been busy. I did have the chance to test this dev version and I believe this worded OK. But I do have to see the rights on the website I tested it one were a bit complex (multiple groups, different permissions on articles). But I did manage to get it working the way I needed and I think this is also due to the changes you made.
So thanks!

Kind regards,
Jip

Lefteris Kavadas
You are welcome. Let me know if you notice anything weird.

Regards

Note: An active subscription is required in order to get support for our paid extensions. For our free extensions, if you don't have an account, register and then submit your support request.  In case you just want to ask a question, you can also use the contact form .

Firecoders
Are you using our extensions? Please post a review at the Joomla extensions directory!
Post a review