TOPIC: Probably bug with Permissions

Hello Daniel,

it's me again lolz - I think that I just found a bug.

Recreating the bug enviroment.
1. Create group with permissions (global configuration) from screen1
2. Create category with permissions (from screen2) for the same group
3. Create a menu button Hotspot Submission Layout
4. Try to add a new hotspot > 403...
BUG: You get 403 can't access webpage. To fix it I had to allowe Create permission for my group (global configuration), but shouldn't the category permissions override the global permissions?
If not, than sorry for bothering You. Similar bug is in Joomla articles with Edit state, but that's diffrent story...

I'm not sure that I follow. What global permissions are you referring to?

You need to set create permissions in the category - otherwise nobody can create anything in this category.

With try to add a new hotspot -> are you hitting the submit button, or are you trying to access the page where to add the hotspot?

If it is the second, it means that the view permission for the menu doesn't match the current user. For example only registered users are able to create hotspots, but the menu is visible to guest users.

Regards,
Daniel

Hello Daniel,

First question: Global permissions for Hotspot (added better screenshot1). The Category Create permission is on(screenshot2).
Second question: I am trying to access the page where to add the hotspot. Now if Create is on in global configuration - user can access the page. If it is off then user can't.
The bug: Category permissions for the group the user is in, isn't enough to allow him acccess the "add the hotspot" page. From what You wrote it seems that this is the view permission problem, but it's not because simple change of Create permission (in hotspot configuration) decides if user can or can't access the page.

I hope I cleared what's this is all about.

Is this helping?
compojoom.com/support/documentation/hotspots/ch06#id360940

Yes, this helps - it's exactly what i had to do to fix it. But this doesn't change that permissions in Hotspots work differently than permissions in Articles. Oh and today I just discovered problem with edit. First of all: edit button - to appear for user - also needs Global "edit own" option on. Now the second thing is, that for example I want a user that can edit two out of three categories. Now if I give him "Edit" in global hotspots configuration then he can Edit all markers. No matter if I set in that third category Edit: Denied. And again if I don't give him global edit but I give edit: allowed in those two categories he can't edit any markers from those categories. This is wrong - needs fixing. If I am not clear enough or You need better description of the bug, let me know.

Sincerely,
Thomas

Hey Thomasz,
I just pushed a new dev. release. Would you please test it. Now when you access the item you should see the edit button (if you have granted the edit permissions in the category.
One issue now is that since we offer this - the userhotspots no longer shows the correct hotspots. With the old design if you had the core.edit permission you would see all hotspots in the list and you could edit them from there. Now you still see only yours since you don't have the core.edit permission.

I guess that what I could do here is - grab all categories, then go through each one and check if you have edit permissions for it. If you do, then I need to modify the query to show the hotspots in those categories and not only the ones submitted by the user.

Regards,
Daniel

Hello Daniel,
right now I am in middle of something, after I finish I'll start testing. Give me few hours.
About userhotspots - now they will work according to the name User hotspots - List of hotspots created by currently logged user I think You should leave that item as it is and create second menu item like "Moderate hotspots" (or something like that) and there implement the mechanics that You described. Now with that two items added, there will be a front-end easy and accessible way to manage Hotspots.

Sincerely and I'll be back,
Thomas

So I checked it out. And the bug still exists. I can't edit point if my user doesn't have GLOBAL right to edit and I also can't create new points if I don't have in GLOBAL Create. But I can delete points just based on CATEGORY rules. If You need better explanation Daniel - let me know. This should work similar to Articles rights then everything will be good.

Have a nice evening,
Thomas

I did just more testing today and when I want to submit new point in front-end I get "0 - Missing field in database: TableMarker   alias." Could You advise?

Go to the dashboard and the field should be added if it is missing from the table.

Can you do it the other way around? Global edit = denied.
Category edit = allowed.

This works for me.

The other way around doesn't because I first check the global permission and if it is allowed I return from the function.

Going to dashboard didn't help. I'll do more test of permissions, but first I must fix that table.

hä? That should really fix it. Which version did you upgrade from?

When my user has CATEGORY Edit Own permission allowed then I can see the edit button but after clickin it, it throws an error 403 lack of access permission. Yet after adding GLOBAL Edit Own in group then user can start editing (thats intended behavior by You, right?), but when in edit mode seems that hotspot drops connection with category and I can't select any category and because of that I can't save. Then after adding GLOBAL Create Allowed it seems that chosen category is ok. Whoa, I'm wasted and confused. Just putted a xampp local server to test all of this, but it needs fundamental permission testing. Maybe You have some online server with Joomla and Hotspots where we can test and mess with it? I'll ask my host admin for testing server but I don't know if he will set me one...
Now I also wonder, how can I make a user (in some group) to let him create hotspot but after submiting it shouldn't be automticaly published (should wait for moderation) - in other words create unpublished hotspots. Is such an option currently available?

About table: seems that the upgrade from 5.2.1 to developer on my production server didn't work like intented cause I didn't get that error "0 - Missing field in database: TableMarker alias." on my localhost. Can I fix it manually by editing table in phpmyadmin? Or maybe reversing and updating second time should help?

We have a global option that would let users submit hotspots from the frontend, but they won't be automatically approved. If you enable the hotspots -email plugin you will get an email on each new submission. Then you have to login into your joomla backend and approve that hotspot.

About the alias. The dev. version that you have has an error in the update script. I just pushed a new release that will properly create the field during installation or when you visit the dashboard.

About the permissions - give me some time to test how com_content works. Hotspots only actually had global permissions. You are the only one who has decided to use the category permissions for something - the category permissions come from com_category and I never implemented support for them.

Edit own permission should only give you the right to edit your own hotspot. If the user has edit own permissions we then check the hotspots that is provided - if the created_by = the current user, then we allow it to be edited. The category select - well this is normal behavior I guess. The category list is created by a stanard joomla function. This joomla function only checks in which categories the user is able to create content. If he doesn't have "create permissions", then you won't see the category in the list, despite having the edit permission. You would need create + edit. But I doubt that this is a problem for a moderator?????

Regards,
Daniel

1. I saw that plugin, but didn't turned it on. If I turn it on then I'll have to approve all of the frontend added hotspots? Or just the hotspots of people who don't have right to set hotspot status?
2. I'll test the new dev version but probably earliest on monday. :/
3. Sure, take Your time - I just want to help You while analyzing the bug and possible fix.
4. This in theory sounds good, but in practice Joomla article permissions are checked diffrently. For example, I have articles which authors can edit but they don't have right to create new articles. That way they can have a own page (article) about their company, place, happening or something. They can update it and there's no risk about possible creating new unwanted stuff. In case of Hotspots for now I can give them right to edit own and create and then just hide the "Add new hotspot" link and also form in Viewing Access Level. This will work but You know - that won't match the real permissions. It's Your call how You want this to work.

Sincerely,
Thomas