Hello Guys,

I got a running website with a membership, its powered by seblod. Got report from my client, that some of member can't edit their profile (and some can)... i got so confuse... but after diggin' deep.. i found the bug and the solution.

The Flow

Seblod do their own ACL by trying to compare between the current session (user ID) with the registered author in #__cck_core .. you can see the command line in "libraries/cck/base/form/form_inc.php"

if ( @$canEditOwn && ! $canAccess ) {
             if ( $user->get( 'id' ) != $config['author'] ) { // <-- the comparison done here
               CCK_Form::redirect( $no_action, $no_redirect, $no_message, $no_style, $config ); return;
             }
}

The Problem

the $config['author'] is taken from a function call g_getBridgeAuthor (located in 'libraries/cms/cck/plugin/location.php');

somehow octopoos team, missed the sql by doing this query:

$author_id   =   JCckDatabase::loadResult( 'SELECT a.author_id FROM #__cck_core AS a WHERE a.pk = '.$pk ); // todo: a recuperer 

see the problem with this query ? well, the fact is there are times when there are several same pk in this table, so its possible that the query too the wrong author id. In my problem there is article and user which using the same pk

The Solution

fortunately, there's another query filter that we can use to make the query behave like we intended, so you just have to add another object filter and change the line, into:

$author_id   =   JCckDatabase::loadResult( 'SELECT a.author_id FROM #__cck_core AS a WHERE  a.storage_location = "'.$location.'" AND a.pk = '.$pk ); // todo: a recuperer 

Nah ! that's make the query perfect !

Hope next seblod update will cover this.. meanwhile you can update manually...