Category ACL settings not being honored with direct link.

  • Posts: 2
  • Thank you received: 0
  • Hikashop Business
4 months 2 days ago #305921

I have found two verified bugs that are a problem with displaying categories and products.

Bug #1
We have many categories and subcategories that are set to only be available to specific ACL groups.
On the front end on the main pages the categories and products are hidden properly based on the login access.
However, if you have the direct URL to a category, you can view the category and products publicly. So the ACL is not working properly.

Bug #2
If you unpublish a category in the admin, and then visit the direct URL to that category in the front end (publicly - not logged in) you can still view everything.

Please Log in or Create an account to join the conversation.

  • Posts: 66586
  • Thank you received: 9792
  • MODERATOR
4 months 1 day ago #305928

Hi,

1. I'm not able to reproduce the problem. When I try this, I'm not able to see the listing of products of that category, instead, I get the categories/products from the main category of the shop. That's because when the category is loaded there is a check on the ACL and if it doesn't load the category in the database, it uses the main category instead of throwing an error.

2. Being able to display a list of products from different categories of your category tree with HikaShop is usually done by creating an unpublished category, assigning the products you want in that listing to that category (as a second category) and then creating a menu item listing with that category selected.
For example, if you want to have a list of "featured products".
So being able to visit an unpublished category page is something that is exepected.

3. What we could improve though is to throw a 404 error on the access of the page if the category is not the one selected in the main category setting of the menu item if the category is unpublished or with ACLs not granted for the current user. I believe it would "fix the bug" for both points and I think it would be much cleaner.
I've added tha patch for that on our end.
You can download the install package on our website and install it on yours and it should be like you want now.

Please Log in or Create an account to join the conversation.

  • Posts: 2
  • Thank you received: 0
  • Hikashop Business
4 months 1 day ago #305932

Nicolas,
Is there any way to privately provide you with login and FTP access so you can check this scenario on our website?
The site allowed many user groups to access only certain categories. The categories do get "hidden" but if you saved the direct URL path it still is publicly accessible.
We have a single menu item going to a ROOT category, and then we have subcategories for different user groups. There are not any other menu items to any other categories. Only the primary one that goes to the main root category. It appears that the access levels are inherited from that menu item, which is public, instead of using the ACL settings of the category itself.

Let me know a way to send login access privately and I can even create a short video so you can better understand the situation.

Thanks
Mike

Please Log in or Create an account to join the conversation.

  • Posts: 66586
  • Thank you received: 9792
  • MODERATOR
3 months 4 weeks ago #305950

Hi,

Maybe I wasn't clear in my previous message but I've already added a patch to have both of your points work properly.
So I would first recommend to download the install package on our website and install it on yours and it should be like you want after that.
If you still see an issue after that, then yes, please provide a FTP and backend access and instructions to reproduce the issue along with a link to this thread via our contact form:
www.hikashop.com/support/contact-us.html
But I don't think it will be necessary.

Please Log in or Create an account to join the conversation.

Time to create page: 0.060 seconds
Powered by Kunena Forum