Article delete fails silently if user lacks privileges

gomedia · 2021-07-29 22:48:07

Copy Editors, by default, have the ability to delete their own articles but not those belong to other users.

If a Copy Editor user attempts to delete someone else’s article, no message (warning or otherwise) is generated.

If a Copy Editor user attempts to delete several articles, some of which are not their own, a success message is displayed, but again no indication that a dodgy operation has been attempted.

It’d be nice if TXP could be a bit more informative and generate a warning in situations where a user has tried to delete articles to which they have no right.

The above scenario seems to apply to other users lower down in the pecking order, and also with images & files.

Not sure if it’d be fair to say this is a bug but it’s certainly a quirk. The fix might involve quite a bit of work. I’m happy to leave the cost-benefit analysis to the experts.

Last edited by gomedia (2021-07-29 22:57:16)

Bloke · 2021-07-30 08:27:05

If Copy Editors can’t delete other content, they shouldn’t even have the ability to select such articles, so if the checkboxes for other articles are available then it’s a rendering bug and we’ll need to fix it. Thanks for the report.

If they can select them, that would certainly support the reason why there’s no warning thrown. The function that does the deletion double checks if the operation is permissible and silently skips any that are out of bounds, presuming that it hasn’t been fed forbidden IDs in the first place. The only time it should be given such ID values is if the POST payload is hacked, in which case the lack of warning is not really needed anyway.

Textpattern CMS

Textpattern CMS support forum

#1 2021-07-29 22:48:07

Article delete fails silently if user lacks privileges

#2 2021-07-30 08:27:05

Re: Article delete fails silently if user lacks privileges

Board footer