CBSubs ACL

6 days 10 minutes ago #318666 by activha
Hello

We had some difficulties using PWT ACL with CB and CBSubs and analyzed CBsubs implementation of ACL.
Each time that we run PWT ACL, CBSubs erases all permissions and the dev found this :

Hi Jean,
Thanks. I have had a look at the issue. It seems that CBSubs is storing their permissions in the assets table under the name "com_cbsubs". Technically this is not correct, as the component is "com_comprofiler" (see the backend url /index.php?option=com_comprofiler). Also in the #__extensions table of your database, no component under the element "com_cbsubs" can be found.
So while it is nice that CBSubs is using the Joomla ACL, they implemented it incorrectly. As it is part of community builder a more proper name would have been "com_comprofiler.cbsubs" as asset name. As that refers to a "sub" item of com_comprofiler.
PWT ACL checks of asset entries are left in the database after removing extensions. Because com_cbsubs is missing form the extensions table PWT ACL thinks the extension is no longer there and removes the entry. This is why permissions are removed after running the diagnostics.
As mentioned before I am not really eager to add specific 3rd party code to fix incorrect ACL implementations of extensions. Maybe you can provide this feedback to CBSubs so they can fix their Joomla ACL implementation?
Sander


Can you comment on this ? and is it possible for you to change so that running the ACL check would not erase CBsubs permissions each time ?

Regards
Jean
5 days 22 hours ago #318670 by krileon
They're technically correct. There isn't a limitation on what you can supply to name (e.g. it doesn't HAVE to be a extension). We've been aware of this issue, but hesitate to fix it as it runs the risk of breaking sites existing permissions.

forge.joomlapolis.com/issues/4129

Easiest approach is for us to fix it in our API then migrate the name during install, but if the migration fails for whatever reason and that query doesn't execute their permissions would stop working.

3rd party ACL Managers don't need to implement special code for these exceptions. They just need to implement a parameter that lets you supply a list of names to ignore. We are not the only extension using custom assets so that could be a good feature.

I've updated the ticket with this topic, assigned it, and adjusted it for awaiting feedback to see where we should go from here.


Kyle (Krileon)
Community Builder Team Member
Before posting on forums: Read FAQ thoroughly + Read our Documentation + Search the forums
CB links: Documentation - Templates - CBSubs - Hosting - Forge - Incubator - GroupJive
--
If you are a Professional, Developer, or CB Paid Subscriptions subscriber and have a support issue please always post in your respective support forums for best results!
--
If I've missed your support post with a delay of 3 days or greater and are a Professional, Developer, or CBSubs subscriber please send me a private message with your thread and will reply when possible!
--
Please note I am available Monday - Friday from 8:00 AM EST to 4:00 PM EST. I am away on weekends (Saturday and Sunday) and if I've missed your post on or before a weekend after business hours please wait for the next following business day (Monday) and will get to your issue as soon as possible, thank you.
--
My role here is to provide guidance and assistance. I cannot provide custom code for each custom requirement. Please do not inquire me about custom development.
5 days 7 hours ago - 5 days 7 hours ago #318675 by activha
Thanks for your feedback
I have let them know about your suggestion of the parameter feature and here is Sander's answer :

Hi Jean,
Thanks for getting back to me. I am very hesitate to built in features (also settings) to fix others mistakes in implementing the Joomla ACL system.
I disagree it is a good feature to add as Kyle mentioned. It is allowed to use custom assets and names, and indeed others are doing that, but within their own "namespace". So they don't add custom assets name with a different component name that simply not exists.
I haven't received any similar reports over the past years in which this setting would be useful. So if I add this setting it is for this specific case only and I have to spend even more time to fix CBSubs mistakes.
I will think of adding the option, but from my point of view the ones that needs to fix this are CBSubs, not us. They should think of a proper migration and fallback for this permission. Renaming the asset is an easy migration, and with their installation/update process this is not an issue at at. A simple check on loading CBSubs in the backend could be added as well that updates the asset if not already done.
Sander

5 days 2 hours ago #318678 by krileon
We are absolutely going to be changing this in CBSubs itself as yes it is using an inappropriate name for the asset. My feature suggestion was for them to be able to cover custom assets without having to implement support for those assets specifically, which would be in addition to us fixing our side of things in a future release. I guess for now don't let ACL Manager delete orphaned assets to prevent losing custom CBSubs permissions.


Kyle (Krileon)
Community Builder Team Member
Before posting on forums: Read FAQ thoroughly + Read our Documentation + Search the forums
CB links: Documentation - Templates - CBSubs - Hosting - Forge - Incubator - GroupJive
--
If you are a Professional, Developer, or CB Paid Subscriptions subscriber and have a support issue please always post in your respective support forums for best results!
--
If I've missed your support post with a delay of 3 days or greater and are a Professional, Developer, or CBSubs subscriber please send me a private message with your thread and will reply when possible!
--
Please note I am available Monday - Friday from 8:00 AM EST to 4:00 PM EST. I am away on weekends (Saturday and Sunday) and if I've missed your post on or before a weekend after business hours please wait for the next following business day (Monday) and will get to your issue as soon as possible, thank you.
--
My role here is to provide guidance and assistance. I cannot provide custom code for each custom requirement. Please do not inquire me about custom development.
5 days 2 hours ago #318679 by activha
OK will do, thanks
5 days 52 minutes ago #318684 by krileon
I've now fixed this within CBSubs with a pending MR for review and merge. There's also a minor fix in core CB for the backend dropdown menu since we also check permissions there, but that's just for visibility of the menu items. Once reviewed and merged will make a new release with this fixed.

Migration is a part of the CBSubs installation script and is the first migration ran to avoid any potential migration failures that would be above it from impacting it. The migration will be checked on every install as well encase a reinstall to force the migration again is necessary.


Kyle (Krileon)
Community Builder Team Member
Before posting on forums: Read FAQ thoroughly + Read our Documentation + Search the forums
CB links: Documentation - Templates - CBSubs - Hosting - Forge - Incubator - GroupJive
--
If you are a Professional, Developer, or CB Paid Subscriptions subscriber and have a support issue please always post in your respective support forums for best results!
--
If I've missed your support post with a delay of 3 days or greater and are a Professional, Developer, or CBSubs subscriber please send me a private message with your thread and will reply when possible!
--
Please note I am available Monday - Friday from 8:00 AM EST to 4:00 PM EST. I am away on weekends (Saturday and Sunday) and if I've missed your post on or before a weekend after business hours please wait for the next following business day (Monday) and will get to your issue as soon as possible, thank you.
--
My role here is to provide guidance and assistance. I cannot provide custom code for each custom requirement. Please do not inquire me about custom development.
Moderators: beatnantkrileon
Time to create page: 0.424 seconds