Fixed 500 error in admin when logged in and calling JSON view#10888
Merged
roland-d merged 1 commit intojoomla:stagingfrom Jun 25, 2016
Merged
Fixed 500 error in admin when logged in and calling JSON view#10888roland-d merged 1 commit intojoomla:stagingfrom
roland-d merged 1 commit intojoomla:stagingfrom
Conversation
|
I have tested this item ✅ successfully on f2ebd73 This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/10888. |
Contributor
|
I have tested this item ✅ successfully on f2ebd73 This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/10888. |
Contributor
|
RTC This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/10888. |
Contributor
|
Thanks everybody |
Author
|
Thanks! Motivates me to look into contributing other fixes as well. :) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull Request for Issue #10212.
Summary of Changes
By default if user hasn't logged in or the session has timed out, Joomla Administrator attempts to call login view.
Because of the login view only exists for HTML, JSON calls fail with
500 View not found [name, type, prefix]: login, json, loginViewerror. This is bad as it prevents JavaScript from detecting the missing permissions and reacting properly to the AJAX response.The best solution in ideal world would be not to call
com_loginand let the component to handle the error by itself, but because of the changed behaviour would likely cause a huge amount of vulnerabilities in 3rd party components, the second best solution is to emulate components default behaviour when user has no access to it.My proposal is to throw
403 You are not authorised to view this resource.error instead of500. This is the default error message when you are logged in but your user doesn't have the proper admin permissions for the given component. This error message is shown in admin regardless of if the view/task exists or not.In addition to JSON, this change changes behaviour from all non-HTML responses.
More discussion about this issue can be found from Issue #10212.
Testing Instructions
Log out and enter to
administrator/index.php?option=com_xxx&format=json(GET or POST). Note that the contents of the URL doesn't matter ascom_loginintercepts the call.In unpatched version you will get this error:
In patched version the error changes into:
Both errors are handled by default error page and they are in HTML.
Note: Component and view doesn't need to exist as the request gets intercepted by Joomla.