bug: PostsController missing ACL checks on queue management actions #224

New Issue

2026-06-29T14:19:05Z

jmiller commented

2026-06-29 14:19:05 +00:00

Summary

Four actions in PostsController have CSRF token checks but are missing ACL authorization checks. Any admin user with basic component access can manipulate the post queue without the mokosuitecross.queue.manage permission.

Affected Actions

File: source/packages/com_mokosuitecross/src/Controller/PostsController.php

Method	Line	Risk	ACL Missing
`purgePosted()`	238	Mass-deletes all posted records	`mokosuitecross.queue.manage`
`retryFailed()`	130	Re-queues all failed posts	`mokosuitecross.queue.manage`
`retrySelected()`	101	Re-queues selected posts	`mokosuitecross.queue.manage`
`schedule()`	34	Reschedules posts to new date	`mokosuitecross.queue.manage`

All four correctly call $this->checkToken() for CSRF protection but do not verify the user has the mokosuitecross.queue.manage permission defined in access.xml.

Comparison

Other controllers properly enforce ACL:

PostsController::exportCsv() checks mokosuitecross.queue.export (line 164)
ServicesController::publish() checks core.edit.state (line 27)
ServicesController::delete() checks core.delete (line 36)
DashboardController::migrate() checks mokosuitecross.migrate (line 33)

Fix

Add ACL check after $this->checkToken() in each method:

if (!$this->app->getIdentity()->authorise('mokosuitecross.queue.manage', 'com_mokosuitecross')) {
    throw new \RuntimeException(Text::_('JLIB_APPLICATION_ERROR_ACCESS_FORBIDDEN'), 403);
}

## Summary Four actions in `PostsController` have CSRF token checks but are missing ACL authorization checks. Any admin user with basic component access can manipulate the post queue without the `mokosuitecross.queue.manage` permission. ## Affected Actions **File:** `source/packages/com_mokosuitecross/src/Controller/PostsController.php` | Method | Line | Risk | ACL Missing | |--------|------|------|-------------| | `purgePosted()` | 238 | Mass-deletes all posted records | `mokosuitecross.queue.manage` | | `retryFailed()` | 130 | Re-queues all failed posts | `mokosuitecross.queue.manage` | | `retrySelected()` | 101 | Re-queues selected posts | `mokosuitecross.queue.manage` | | `schedule()` | 34 | Reschedules posts to new date | `mokosuitecross.queue.manage` | All four correctly call `$this->checkToken()` for CSRF protection but do not verify the user has the `mokosuitecross.queue.manage` permission defined in `access.xml`. ## Comparison Other controllers properly enforce ACL: - `PostsController::exportCsv()` checks `mokosuitecross.queue.export` (line 164) - `ServicesController::publish()` checks `core.edit.state` (line 27) - `ServicesController::delete()` checks `core.delete` (line 36) - `DashboardController::migrate()` checks `mokosuitecross.migrate` (line 33) ## Fix Add ACL check after `$this->checkToken()` in each method: ```php if (!$this->app->getIdentity()->authorise('mokosuitecross.queue.manage', 'com_mokosuitecross')) { throw new \RuntimeException(Text::_('JLIB_APPLICATION_ERROR_ACCESS_FORBIDDEN'), 403); } ```

jmiller commented

2026-06-29 14:19:08 +00:00

Branch created: feature/224-bug-postscontroller-missing-acl-checks-o

git fetch origin
git checkout feature/224-bug-postscontroller-missing-acl-checks-o

Branch created: [`feature/224-bug-postscontroller-missing-acl-checks-o`](https://git.mokoconsulting.tech/MokoConsulting/MokoSuiteCross/src/branch/feature/224-bug-postscontroller-missing-acl-checks-o) ```bash git fetch origin git checkout feature/224-bug-postscontroller-missing-acl-checks-o ```

jmiller referenced this issue from a commit

2026-06-29 16:28:16 +00:00

fix: resolve 10 critical/medium bugs from deep dive audit

jmiller referenced a pull request that will close this issue

2026-06-29 16:28:52 +00:00

fix: resolve 10 critical/medium bugs from deep dive audit #252

Sign in to join this conversation.

Priority Medium

Type Feature

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: MokoConsulting/MokoSuiteCross#224