- Project: Joomla!
- SubProject: CMS
Joomla! 3.6.5 includes additional security hardening mechanisms prepared by the JSST, thanks in part to issue reports from Fotis Evangelou and Nicholas Dionysopoulos, which restricts a user's ability to make potentially damaging configuration changes. This includes restricting the ability to set the "New User Registration Group" and "Guest User Group" to a group with Super User permissions and restricting the ability for a lesser privileged user to make user group assignment changes to users in a Super User group.
Additionally, we have modified the behavior of
JUser::authorise() to only return a boolean value. Previously, this method could return either a boolean value or null because the underlying call to
JAccess::check() can also return a null value; neither
JAccess::check() documented this though. We have determined that based on how the API is used that
JUser::authorise() should only return a boolean value. If a developer requires the previous behavior of a null return value (which indicates an "implicit" denied state versus "explicit" signified by boolean false), they should use
JAccess::check() instead. The documentation for
JAccess::check() has been updated to indicate the null return value as well.
The JSST at the Joomla! Security Centre.