I was a little surprised this morning when I received a mail from a visitor of my website. The reason of my astonishment could have been that someone actually visited my website of course. Rather than that, what caught my attention was when he announced humbly that he had been granted super administrator access and could modify all my articles without even registering! This was the sign of a bad debugging day…

The problem arises when a guest or user gets a list of documents displayed by Artio’s Docman 2 component. I haven’t checked whether the problem is present in earlier versions functioning on Joomla! 1.0.x, but it seems unlikely that something so dangerous would have slipped through that long. After a lot of coffee and “exit();” commands introduction across Docman’s code, I could nail the problem down to a seemingly very innocent function call in DOCMAN_user.class.php. Lines 811-2 read as follows:

811   $users [$id] = &JFactory::getUser();

812   $users [$id]->load ( $id );

In short, a user object is built by calling the JFactory::getUser function without specifying the user id which is specifically loaded on the next line. As far as I can judge, this seems like a pretty standard harmless piece of code. Unless you give a look to the JFactory::getUser function:

Function &getUser($id = null)

{

    jimport('joomla.user.user');

    if(is_null($id))

    {

        $session  =& JFactory::getSession();

        $instance =& $session->get('user');

        if (!is_a($instance, 'JUser')) {

            $instance =& JUser::getInstance();

        }

    }

    else

    {

        $instance =& JUser::getInstance($id);

    }

    return $instance;

}

I’m not 100% sure that I fully understand what happens here, but it seems that, should no user id be specified, the function will return by reference the session’s user. This apparently has the consequence that when Docman loads the id in the object that is returned this modifies the user of the session. In my case, all documents were created as super administrator on the backend, so when Docman loaded the user object corresponding to the creator of any document for display it inadvertently also modified the session as being a super administrator one.

A possible correction    

I am not sure where this should be corrected… A possible correction of lines 811-2 in DOCMAN_user.class.php could be:

811   $users [$id] = &JFactory::getUser($id);

812   //$users [$id]->load ( $id );

This correction prevents the modification of the session and returns the desired user informations.

However, the JFactory::getUser function seems a little fishy to me in that it has two purposes, returning any user object specified by id or to point to the session user. I have no idea of the implications, so please be indulgent in your comments, but I would guess that these two purposes should be separated in distinct functions for improved security…