Fix Field Group permission check (joomla#44956)

Author: joomdonation

administrator/components/com_fields/src/Model/GroupModel.php

@@ -120,14 +120,13 @@ public function getForm($data = [], $loadData = true)
             return false;
         }
 
-        // Modify the form based on Edit State access controls.
-        if (empty($data['context'])) {
-            $data['context'] = $context;
-        }
+        $record          = new \stdClass();
+        $record->context = $context;
+        $record->id      = $jinput->get('id');
 
         $user = $this->getCurrentUser();
 
-        if (!$user->authorise('core.edit.state', $context . '.fieldgroup.' . $jinput->get('id'))) {
+        if (!$this->canEditState($record)) {
             // Disable fields for display.
             $form->setFieldAttribute('ordering', 'disabled', 'true');
             $form->setFieldAttribute('state', 'disabled', 'true');
@@ -160,7 +159,9 @@ protected function canDelete($record)
             return false;
         }
 
-        return $this->getCurrentUser()->authorise('core.delete', $record->context . '.fieldgroup.' . (int) $record->id);
+        $component = explode('.', $record->context)[0];
+
+        return $this->getCurrentUser()->authorise('core.delete', $component . '.fieldgroup.' . (int) $record->id);
     }
 
     /**
@@ -177,13 +178,15 @@ protected function canEditState($record)
     {
         $user = $this->getCurrentUser();
 
+        $component = explode('.', $record->context)[0];
+
         // Check for existing fieldgroup.
         if (!empty($record->id)) {
-            return $user->authorise('core.edit.state', $record->context . '.fieldgroup.' . (int) $record->id);
+            return $user->authorise('core.edit.state', $component . '.fieldgroup.' . (int) $record->id);
         }
 
         // Default to component settings.
-        return $user->authorise('core.edit.state', $record->context);
+        return $user->authorise('core.edit.state', $component);
     }
 
     /**