From 369485f9a8d262f394f895c27b1f160b0a51a4c9 Mon Sep 17 00:00:00 2001
From: Georgios Papadakis <ggppdk@users.noreply.github.com>
Date: Wed, 10 Aug 2016 18:59:49 +0300
Subject: [PATCH 1/2] Refactor category controller

---
 .../com_categories/controllers/category.php   | 27 +++++--------------
 1 file changed, 7 insertions(+), 20 deletions(-)

diff --git a/administrator/components/com_categories/controllers/category.php b/administrator/components/com_categories/controllers/category.php
index c8d6c0d21a273..cbb61e2d982de 100644
--- a/administrator/components/com_categories/controllers/category.php
+++ b/administrator/components/com_categories/controllers/category.php
@@ -76,38 +76,25 @@ protected function allowEdit($data = array(), $key = 'parent_id')
 		$recordId = (int) isset($data[$key]) ? $data[$key] : 0;
 		$user = JFactory::getUser();
 
-		// Check general edit permission first.
-		if ($user->authorise('core.edit', $this->extension))
-		{
-			return true;
-		}
-
 		// Check specific edit permission.
 		if ($user->authorise('core.edit', $this->extension . '.category.' . $recordId))
 		{
 			return true;
 		}
 
-		// Fallback on edit.own.
-		// First test if the permission is available.
+		// Check specific edit.own permission.
 		if ($user->authorise('core.edit.own', $this->extension . '.category.' . $recordId) || $user->authorise('core.edit.own', $this->extension))
 		{
-			// Now test the owner is the user.
-			$ownerId = (int) isset($data['created_user_id']) ? $data['created_user_id'] : 0;
+			// Need to do a lookup from the model to get the owner
+			$record = $this->getModel()->getItem($recordId);
 
-			if (empty($ownerId) && $recordId)
+			if (empty($record))
 			{
-				// Need to do a lookup from the model.
-				$record = $this->getModel()->getItem($recordId);
-
-				if (empty($record))
-				{
-					return false;
-				}
-
-				$ownerId = $record->created_user_id;
+				return false;
 			}
 
+			$ownerId = $record->created_user_id;
+
 			// If the owner matches 'me' then do the test.
 			if ($ownerId == $user->id)
 			{

From 076786142a504972687560def47dfc6ec1a32274 Mon Sep 17 00:00:00 2001
From: Georgios Papadakis <ggppdk@users.noreply.github.com>
Date: Fri, 19 Aug 2016 20:35:25 +0300
Subject: [PATCH 2/2] Remove errorneous check on component asset

---
 .../components/com_categories/controllers/category.php      | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/administrator/components/com_categories/controllers/category.php b/administrator/components/com_categories/controllers/category.php
index cbb61e2d982de..7b3fc31ebbc8b 100644
--- a/administrator/components/com_categories/controllers/category.php
+++ b/administrator/components/com_categories/controllers/category.php
@@ -76,14 +76,14 @@ protected function allowEdit($data = array(), $key = 'parent_id')
 		$recordId = (int) isset($data[$key]) ? $data[$key] : 0;
 		$user = JFactory::getUser();
 
-		// Check specific edit permission.
+		// Check "edit" permission on record asset (explicit or inherited)
 		if ($user->authorise('core.edit', $this->extension . '.category.' . $recordId))
 		{
 			return true;
 		}
 
-		// Check specific edit.own permission.
-		if ($user->authorise('core.edit.own', $this->extension . '.category.' . $recordId) || $user->authorise('core.edit.own', $this->extension))
+		// Check "edit own" permission on record asset (explicit or inherited)
+		if ($user->authorise('core.edit.own', $this->extension . '.category.' . $recordId))
 		{
 			// Need to do a lookup from the model to get the owner
 			$record = $this->getModel()->getItem($recordId);