在 joomla 中,除了Super User 群組之外,另外還有一種方式可以設定最高權限使用者,該使用者所有的權限驗證都能夠通過。而 Root User 只能夠設定在 configuration.php 檔案中。
我們可以看看 JUser 中的驗證程式碼:
/**
* Method to check JUser object authorisation against an access control
* object and optionally an access extension object
*
* @param string $action The name of the action to check for permission.
* @param string $assetname The name of the asset on which to perform the action.
*
* @return boolean True if authorised
*
* @since 11.1
*/
public function authorise($action, $assetname = null)
{
// Make sure we only check for core.admin once during the run.
if ($this->isRoot === null)
{
$this->isRoot = false;
// Check for the configuration file failsafe.
$config = JFactory::getConfig();
$rootUser = $config->get('root_user');
// The root_user variable can be a numeric user ID or a username.
if (is_numeric($rootUser) && $this->id > 0 && $this->id == $rootUser)
{
$this->isRoot = true;
}
elseif ($this->username && $this->username == $rootUser)
{
$this->isRoot = true;
}
else
{
// Get all groups against which the user is mapped.
$identities = $this->getAuthorisedGroups();
array_unshift($identities, $this->id * -1);
if (JAccess::getAssetRules(1)->allow('core.admin', $identities))
{
$this->isRoot = true;
return true;
}
}
}
return $this->isRoot ? true : JAccess::check($this->id, $action, $assetname);
}
在 Check for the configuration file failsafe. 這一段,從 Config 中抓取 root_user (可以是ID也可以是帳號名稱),然後一旦確認使用者符合這個條件,就無條件返回 true 。
這項功能在一些特別的狀況下想要設置最高權限帳號時可以使用到,但平常請不要隨便亂設,會有安全性隱患。
