Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2021-07-29 22:48:07

gomedia
Plugin Author
Registered: 2008-06-01
Posts: 1,357
Website

Article delete fails silently if user lacks privileges

Copy Editors, by default, have the ability to delete their own articles but not those belong to other users.

If a Copy Editor user attempts to delete someone else’s article, no message (warning or otherwise) is generated.

If a Copy Editor user attempts to delete several articles, some of which are not their own, a success message is displayed, but again no indication that a dodgy operation has been attempted.

It’d be nice if TXP could be a bit more informative and generate a warning in situations where a user has tried to delete articles to which they have no right.

The above scenario seems to apply to other users lower down in the pecking order, and also with images & files.

Not sure if it’d be fair to say this is a bug but it’s certainly a quirk. The fix might involve quite a bit of work. I’m happy to leave the cost-benefit analysis to the experts.

Last edited by gomedia (2021-07-29 22:57:16)

Offline

#2 2021-07-30 08:27:05

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 10,520
Website GitHub

Re: Article delete fails silently if user lacks privileges

If Copy Editors can’t delete other content, they shouldn’t even have the ability to select such articles, so if the checkboxes for other articles are available then it’s a rendering bug and we’ll need to fix it. Thanks for the report.

If they can select them, that would certainly support the reason why there’s no warning thrown. The function that does the deletion double checks if the operation is permissible and silently skips any that are out of bounds, presuming that it hasn’t been fed forbidden IDs in the first place. The only time it should be given such ID values is if the POST payload is hacked, in which case the lack of warning is not really needed anyway.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

Board footer

Powered by FluxBB