On saving products VM strips HTML tags for non VM admins.

Started by Gruz, February 22, 2012, 06:18:43 AM

Previous topic - Next topic

Gruz

J.2.5.1
VM 2.0.1.N+ (dev file _VirtueMart2.zip)

I examined the code and found the reason:
administrator/components/com_virtuemart/controllers/product.php
function save(){

$data = JRequest::get('post');

if(!class_exists('Permissions')) require(JPATH_VM_ADMINISTRATOR.DS.'helpers'.DS.'permissions.php');
if(Permissions::getInstance()->check('admin')){
$data['product_desc'] = JRequest::getVar('product_desc','','post','STRING',2);
$data['product_s_desc'] = JRequest::getVar('product_s_desc','','post','STRING',2);
}

parent::save($data);
}


This means, that the user has to be VM admin to save HTML tags. I don't think it's obivious.

So I have several notes

  • I believe, that at least storeadmins should have permissions to save non-stripped HTML also, so this line
if(Permissions::getInstance()->check('admin')){
should be replaced with
if(Permissions::getInstance()->check('admin') || Permissions::getInstance()->check('storeadmin')){

      [/li]
    • VM saves disregarding joomla text filters settings. At least my tests show it. I don't know if it's the expected behavour, a bug, or a "no care" issue
    • If a user is allowed to edit a product, and VM ignores joomla text filter settings, why then to strip HTML at all? A user who can edit products is a trusted user. And if we speak of security, which a trusted user can broke by mistakenly pasting some html with JS, iframes and so on, then we have to use those joomla text filters which purpose is to make html safe.

    So my suggestion is either at least allow storeadmins to save HTML, or (better) remove this check at all (only trusted users can edit products anyway). Or, if you have an opportunity, explaine me why the check must be there.

    Thanks.


Your installable language for VM2: http://gruz.org.ua/virtuemart-language-files.html