[4.4] Align the access checks for the unpublished articles in frontend category

[ManuelHu]

This aligns the access checks for the published state and the publish_up/down checks to both use the given filter.published.

Pull Request for Issue #42452.

Summary of Changes

The main CategoryModel model has the right access checks in

joomla-cms/components/com_content/src/Model/CategoryModel.php

Lines 154 to 159 in 302ce23

	if ((!$user->authorise('core.edit.state', $asset)) && (!$user->authorise('core.edit', $asset))) {
	// Limit to published for people who can't edit or edit.state.
	$this->setState('filter.published', 1);
	} else {
	$this->setState('filter.published', [0, 1]);
	}

Here, the access to the single category in question is checked the right way (i.e. by including the category id in the asset name).

But the category model does not filter the articles itself. For this, it calls into ArticlesModel:

joomla-cms/components/com_content/src/Model/CategoryModel.php

Lines 233 to 238 in 302ce23

	if ($this->_articles === null && $category = $this->getCategory()) {
	$model = $this->bootComponent('com_content')->getMVCFactory()
	->createModel('Articles', 'Site', ['ignore_request' => true]);
	$model->setState('params', Factory::getApplication()->getParams());
	$model->setState('filter.category_id', $category->id);
	$model->setState('filter.published', $this->getState('filter.published'));

and passes on the filter.published state.

But in ArticlesModel::getItems(), the access check is repeated with a generic asset tag (i.e. com_content w/o any category information), but only for the publish_up/down case. In the simple published case, no additional access check is performed, and just the value of filter.published is used.

joomla-cms/components/com_content/src/Model/ArticlesModel.php

Lines 492 to 496 in 302ce23

	// Filter by start and end dates.
	if ((!$user->authorise('core.edit.state', 'com_content')) && (!$user->authorise('core.edit', 'com_content'))) {
	$query->where(
	[
	'(' . $db->quoteName('a.publish_up') . ' IS NULL OR ' . $db->quoteName('a.publish_up') . ' <= :publishUp)',

---

This patch essentially aligns the access checks for the published state and the publish_up/down checks to both use the given filter.published.

Testing Instructions

1. Create a content category
2. create articles in it
   • at least one with published state
   • one with published state and with publish_up in the future
   • and one set to be hidden
3. Create a user group and grant access to edit and edit-state for this category only
4. create a category list menu item in the frontend menu
5. log into the frontend with a user that is part of the group created in step 3

Actual result BEFORE applying this Pull Request

• the user can only see two of the articles: the published one, and the hidden one.
• The article with publish_up in the future is not visible

Expected result AFTER applying this Pull Request

• the logged-in user can see all three articles
• Note that this only changes the content of the list. The user always had the permission to view and edit the article (i.e. by "guessing" its URL), it was just not listed.

Link to documentations

Please select:

• Documentation link for docs.joomla.org:

• No documentation changes for docs.joomla.org needed

• Pull Request link for manual.joomla.org:

• No documentation changes for manual.joomla.org needed