[5.3] Control access to component preferences individually

administrator/components/com_config/src/Model/ComponentModel.php

@@ -160,11 +160,12 @@ public function save($data)
         $context    = $this->option . '.' . $this->name;
         PluginHelper::importPlugin('extension');
 
-        // Check super user group.
+        // Check super user group and individual preference tab access
         if (isset($data['params']) && !$this->getCurrentUser()->authorise('core.admin')) {
             $form = $this->getForm([], false);
 
             foreach ($form->getFieldsets() as $fieldset) {
+                $hasAccess = $this->getCurrentUser()->authorise("core.options.$fieldset");
                 foreach ($form->getFieldset($fieldset->name) as $field) {
                     if (
                         $field->type === 'UserGroupList' && isset($data['params'][$field->fieldname])
@@ -173,6 +174,9 @@ public function save($data)
                     ) {
                         throw new \RuntimeException(Text::_('JLIB_APPLICATION_ERROR_SAVE_NOT_PERMITTED'));
                     }
+                    if (!$hasAccess && isset($data['params'][$field->fieldname])) {
+                        unset($data['params'][$field->fieldname]);
+                    }
                 }
             }
         }
@@ -212,6 +216,13 @@ public function save($data)
 
         unset($data['id']);
 
+        // If the user only has access to a subset of preferences,
+        // merge these with the full preference set
+        $previous = (array)\json_decode($table->params);
+        if (\count($data['params'], COUNT_RECURSIVE) != \count($previous, COUNT_RECURSIVE)) {
+            $data['params'] = \array_merge($previous, $data['params']);
+        }
+
         // Bind the data.
         if (!$table->bind($data)) {
             throw new \RuntimeException($table->getError());

administrator/components/com_config/src/View/Component/HtmlView.php

@@ -82,9 +82,20 @@ public function display($tpl = null)
         $this->fieldsets   = $form ? $form->getFieldsets() : null;
         $this->formControl = $form ? $form->getFormControl() : null;
 
-        // Don't show permissions fieldset if not authorised.
-        if (!$user->authorise('core.admin', $component->option) && isset($this->fieldsets['permissions'])) {
-            unset($this->fieldsets['permissions']);
+        // Remove unauthorised preference tabs.
+        foreach ($this->fieldsets as $key => $value) {
+            if ($key == 'permissions') {
+                if (
+                    (!$user->authorise('core.admin', $component->option) || !$user->authorise('core.options.permission', $component->option))
+                    && isset($this->fieldsets['permissions'])
+                ) {
+                    unset($this->fieldsets['permissions']);
+                }
+            } else {
+                if (!$user->authorise("core.options.$key", $component->option) && isset($this->fieldsets[$key])) {
+                    unset($this->fieldsets[$key]);
+                }
+            }
         }
 
         $this->form      = &$form;

build/media_source/system/js/fields/calendar.es5.js

@@ -296,7 +296,9 @@
 
 		if (window.innerHeight < containerTmp.getBoundingClientRect().bottom + 20) {
 			containerTmp.style.marginTop = - (containerTmp.getBoundingClientRect().height + this.inputField.getBoundingClientRect().height) + "px";
-		}
+		} else {
+      containerTmp.style.marginTop = 'initial';
+    }
 
 		this.processCalendar();
 	};

build/media_source/system/js/fields/joomla-field-media.w-c.es6.js

@@ -302,7 +302,7 @@ class JoomlaFieldMedia extends HTMLElement {
         let type;
         this.buttonClearEl.style.display = '';
         this.previewElement.innerHTML = '';
-        const ext = getExtension(value);
+        const ext = getExtension(value).toLowerCase();
 
         if (supportedExtensions.images.includes(ext)) type = 'images';
         if (supportedExtensions.audios.includes(ext)) type = 'audios';

build/media_source/system/js/fields/modal-fields.es5.js

@@ -143,8 +143,11 @@
 				iframeDocument = this.contentDocument;
 
 				// Validate the child form and update parent form.
-				if (iframeDocument.getElementById(idFieldId) && iframeDocument.getElementById(idFieldId).value != '0')
-				{
+				if (
+					iframeDocument.getElementById(idFieldId)
+					&& iframeDocument.getElementById(idFieldId).value != '0'
+					&& [].slice.call(iframeDocument.querySelectorAll('joomla-alert[type="danger"]')).length == 0
+				) {
 					window.processModalParent(fieldPrefix, iframeDocument.getElementById(idFieldId).value, iframeDocument.getElementById(titleFieldId).value);
 
 					// If Save & Close (save task), submit the edit close action (so we don't have checked out items).

build/media_source/templates/administrator/atum/scss/vendor/joomla-custom-elements/joomla-alert.scss

@@ -21,6 +21,7 @@
     flex-direction: column;
     justify-content: center;
     padding: .8rem;
+    line-height: normal;
     color: var(--white);
     background: var(--alert-accent-color, var(--template-bg-dark));
     align-content: center;

installation/sql/mysql/base.sql

@@ -404,7 +404,7 @@ INSERT INTO `#__extensions` (`package_id`, `name`, `type`, `element`, `folder`,
 -- Templates
 INSERT INTO `#__extensions` (`package_id`, `name`, `type`, `element`, `folder`, `client_id`, `enabled`, `access`, `protected`, `locked`, `manifest_cache`, `params`, `custom_data`, `ordering`, `state`) VALUES
 (0, 'atum', 'template', 'atum', '', 1, 1, 1, 0, 1, '', '', '', 0, 0),
-(0, 'cassiopeia', 'template', 'cassiopeia', '', 0, 1, 1, 0, 1, '', '{"logoFile":"","fluidContainer":"0","sidebarLeftWidth":"3","sidebarRightWidth":"3"}', '', 0, 0);
+(0, 'cassiopeia', 'template', 'cassiopeia', '', 0, 1, 1, 0, 1, '', '{"brand":"1","logoFile":"","siteTitle":"","siteDescription":"","useFontScheme":"0","colorName":"colors_standard","fluidContainer":"0","stickyHeader":0,"backTop":0}', '', 0, 0);
 
 -- Files Extensions
 INSERT INTO `#__extensions` (`package_id`, `name`, `type`, `element`, `folder`, `client_id`, `enabled`, `access`, `protected`, `locked`, `manifest_cache`, `params`, `custom_data`, `ordering`, `state`) VALUES

installation/sql/postgresql/base.sql

@@ -410,7 +410,7 @@ INSERT INTO "#__extensions" ("package_id", "name", "type", "element", "folder",
 -- Templates
 INSERT INTO "#__extensions" ("package_id", "name", "type", "element", "folder", "client_id", "enabled", "access", "protected", "locked", "manifest_cache", "params", "custom_data", "ordering", "state") VALUES
 (0, 'atum', 'template', 'atum', '', 1, 1, 1, 0, 1, '', '', '', 0, 0),
-(0, 'cassiopeia', 'template', 'cassiopeia', '', 0, 1, 1, 0, 1, '', '{"logoFile":"","fluidContainer":"0","sidebarLeftWidth":"3","sidebarRightWidth":"3"}', '', 0, 0);
+(0, 'cassiopeia', 'template', 'cassiopeia', '', 0, 1, 1, 0, 1, '', '{"brand":"1","logoFile":"","siteTitle":"","siteDescription":"","useFontScheme":"0","colorName":"colors_standard","fluidContainer":"0","stickyHeader":0,"backTop":0}', '', 0, 0);
 
 -- Files Extensions
 INSERT INTO "#__extensions" ("package_id", "name", "type", "element", "folder", "client_id", "enabled", "access", "protected", "locked", "manifest_cache", "params", "custom_data", "ordering", "state") VALUES

libraries/src/Document/Document.php

@@ -640,6 +640,10 @@ public function addStyleSheet($url, $options = [], $attribs = [])
      */
     public function addStyleDeclaration($content, $type = 'text/css')
     {
+        if ($content === null) {
+            return $this;
+        }
+
         $type = strtolower($type);
 
         if (empty($this->_style[$type])) {

libraries/src/Form/FormField.php

@@ -1022,7 +1022,20 @@ public function renderField($options = [])
             ? ((string) $this->form->getXml()->config->inlinehelp['button'] == 'show' ?: false)
             : false;
 
-        if ($this->showon) {
+        // Check if the field has showon in nested option
+        $hasOptionShowOn = false;
+
+        if (!empty((array) $this->element->xpath('option'))) {
+            foreach ($this->element->xpath('option') as $option) {
+                if ((string) $option['showon']) {
+                    $hasOptionShowOn = true;
+
+                    break;
+                }
+            }
+        }
+
+        if ($this->showon || $hasOptionShowOn) {
             $options['rel']           = ' data-showon=\'' .
                 json_encode(FormHelper::parseShowOnConditions($this->showon, $this->formControl, $this->group)) . '\'';
             $options['showonEnabled'] = true;
@@ -1279,17 +1292,12 @@ public function postProcess($value, $group = null, Registry $input = null)
      */
     protected function getLayoutData()
     {
-        // Label preprocess
-        $label = !empty($this->element['label']) ? (string) $this->element['label'] : null;
-        $label = $label && $this->translateLabel ? Text::_($label) : $label;
-
-        // Description preprocess
+        $label       = !empty($this->element['label']) ? (string) $this->element['label'] : null;
+        $label       = $label && $this->translateLabel ? Text::_($label) : $label;
         $description = !empty($this->description) ? $this->description : null;
         $description = !empty($description) && $this->translateDescription ? Text::_($description) : $description;
-
-        $alt = preg_replace('/[^a-zA-Z0-9_\-]/', '_', $this->fieldname);
-
-        return [
+        $alt         = preg_replace('/[^a-zA-Z0-9_\-]/', '_', $this->fieldname);
+        $options     = [
             'autocomplete'   => $this->autocomplete,
             'autofocus'      => $this->autofocus,
             'class'          => $this->class,
@@ -1319,6 +1327,8 @@ protected function getLayoutData()
             'dataAttributes' => $this->dataAttributes,
             'parentclass'    => $this->parentclass,
         ];
+
+        return $options;
     }
 
     /**

libraries/src/Mail/Mail.php

@@ -232,7 +232,7 @@ public function setSender($from, $name = '')
      */
     public function setSubject($subject)
     {
-        $this->Subject = MailHelper::cleanLine($subject);
+        $this->Subject = MailHelper::cleanSubject($subject);
 
         return $this;
     }

plugins/content/loadmodule/src/Extension/LoadModule.php

@@ -43,11 +43,6 @@ final class LoadModule extends CMSPlugin
      */
     public function onContentPrepare($context, &$article, &$params, $page = 0)
     {
-        // Don't run this plugin when the content is being indexed
-        if ($context === 'com_finder.indexer') {
-            return;
-        }
-
         // Only execute if $article is an object and has a text property
         if (!is_object($article) || !property_exists($article, 'text') || is_null($article->text)) {
             return;
@@ -69,6 +64,23 @@ public function onContentPrepare($context, &$article, &$params, $page = 0)
         // Expression to search for(id)
         $regexmodid = '/{loadmoduleid\s([1-9][0-9]*)}/i';
 
+        // Remove macros and don't run this plugin when the content is being indexed
+        if ($context === 'com_finder.indexer') {
+            if (str_contains($article->text, 'loadposition')) {
+                $article->text = preg_replace($regex, '', $article->text);
+            }
+
+            if (str_contains($article->text, 'loadmoduleid')) {
+                $article->text = preg_replace($regexmodid, '', $article->text);
+            }
+
+            if (str_contains($article->text, 'loadmodule')) {
+                $article->text = preg_replace($regexmod, '', $article->text);
+            }
+
+            return;
+        }
+
         if (str_contains($article->text, '{loadposition ')) {
             // Find all instances of plugin and put in $matches for loadposition
             // $matches[0] is full pattern match, $matches[1] is the position