Major ACL issue

[roadsider]

Parts of the front end to be viewed only by Admins are appearing to the public. The ACL just is not working as expected.

I created a new access level to view form submissions. The information submitted is very sensitive and cannot be emailed to the admin for security reasons, yet the entire RSForm directory is available to the public.

I want to point the finger at RSForm, but I put the link to that directory in a module and assigned it to the admin group. It still shows up. I can see it when I use Incognito mode!

Mind you, I performed this upgrade nearly from scratch. I started with a fresh install and built back from there, but there have been numerous issues I continue to iron out, such as links to existing pages generating 404s. I'm fixing those by creating menu items, which I never had to do before.

This has been a horrible upgrade process for me. What is up with the ACL?

[AMurray]

For testing, try using the default user groups e.g. Manager, Adminstrator or Super User for your forms or other content that you don't want to be public. Place the users (one of those) groups and see if that works.

Can you post some screenshots, of the back end of your ACL settings? We can't advise much when you haven't told us what you have set, and what you might need to set to get it working correctly.

I'm not an expert with the ACL, just saying that trying to use the default user groups may be the solution.

[roadsider]

Thanks for the replay and my apologies for the delay.

This issue is beyond just the forms. On the site, I have unpublished articles that are showing up to the public. I have to either archive them or delete them to make them "disappear" from the front end for all users.

I have Shared Sessions turned off.

Here are screen shots:

Screenshot 2024-04-22 at 9.34.02 AM.png

Screenshot 2024-04-22 at 9.33.19 AM.png

For me, this is a built-in feature that just isn't working.

[cms-4all]

Hi,
here are some steps and checks to help you resolve the issue:

1. Verify ACL Configuration

Ensure your Access Control List (ACL) settings are correctly configured:

User Groups: Check that your admin user group is correctly set up and that it has the appropriate permissions. Make sure it inherits from the correct parent groups if any.
Access Levels: Verify that the new access level you created is assigned only to the admin group. Also, check if there are other groups included inadvertently that could be causing the wider access.
Viewing Access Levels in Modules/Components: For the module where the RSForm directory is linked, ensure that the module itself is set to the admin viewing access level. Sometimes the module and the content it links to can have different access settings.

2. Check Module Assignment

If the module with the RSForm link is visible publicly, double-check the following:

Module Assignment: Go to the Module Manager and make sure that the module displaying the RSForm link is assigned only to pages accessed by admins. Even if the module is set to admin access, if it's assigned to a public page, it might still show up.
Menu Assignment: Make sure the module is not assigned to any public menu items.

3. Inspect RSForm Configuration

If RSForm itself is misconfigured, it might bypass Joomla!'s ACL settings:

Form Permissions: Check the permissions specific to RSForm to ensure they align with Joomla!'s ACL settings. Sometimes, extensions have their own set of permissions that need to be configured.
Directory Access: If the RSForm directory is accessible publicly, consider applying .htaccess rules or folder permissions to restrict access. This is not the best practice but can be a temporary solution if the ACL isn't applying as expected.

Hope this helps!
Jan