Files for documentation for code PR 41496 "Control Access to Component Preferences Individually"

[MarkRS-UK]

Perhaps the code PR #41496 should have been titled "Control Access to Component Preference Tabs Individually".

Since this is my first PR into the manual, I understand there may be further work required. Please inform me what's required if this is so.

[robbiejackson]

Hi, sorry for the delay in looking in detail at this PR.

I was having a look at this with a view to merging it, and have been trying out what you suggest.

However I can't get working what you show in your documentation. If I expand the com_users access.xml file to include those extra lines then I can see the additional permissions in the com_users configuration ok.

However, I can't see how you can limit the number of tabs in the com_users config.

Is there not more code required to make that work? Wouldn't com_users need to check one of those tab permissions before displaying that particular tab?

Also wouldn't com_config need to change to check those permissions before allowing the Save of a particular configuration option?

A configuration option might not be displayed if its associated tab isn't displayed, but a malicious user could send an HTTP request using eg curl for that option, bypassing the fact that its tab is not displayed on the form.

[MarkRS-UK]

Hi @robbiejackson, sorry to be so slow getting back to this. I don't remember seeing a notification, perhaps I just missed it.
I don't understand where the code PR is at. I had a lot of chat with Harald (on the Mattermost platform) about how they don't want it to work the way it currently does so I have to re-write, which I haven't done yet. I'll see about getting that done. In the meantime, this shouldn't be merged.