Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.
Latest post by nicholas on Friday, 03 May 2024 03:02 CDT
Hi there,
We had read:
https://www.akeeba.com/documentation/admin-tools/server-protection.html
before contacting support. However we are not sure how to fix the issue. This video describes what happened, and I could send you the super user login details if it is needed (but please tell me how to do so securely).
If you should show me where to create the exceptions for Joomla 4, that should work too.
Thank you.
There is no video file.
Generally speaking, please do not use videos to communicate your issue unless explicitly instructed to do so.
Please do use words to describe what is going on. If necessary, also provide a screenshot. These help us help you a sight more than a no-context video.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Hi Nicholas,
Thank you for your fast reply, and sorry for not providing the video link. The problem is, we will encounter a permission error when we try to access files/media via the frontend editor, as shown in this screenshot:
https://mrkr.io/s/66289a067fa576b0e8e3ab6b/0
The error we got is:
You don't have permission to access this. Please contact a website administrator if this is incorrect.
as shown in this screenshot:
https://mrkr.io/s/66289a5cd99a504db2dcfb9d/0
All other features and functions seems to be normal. We have checked file and folder permissions, as well as the ownerships, all should be good.
We have also try to backup the current .htaccess file, and use a default .htaccess file, but still no luck.
Backend editing is fine, may I know what could be wrong?
Thank you.
There is nothing in Admin Tools's Web Application Firewall or .htaccess Maker which would block JCE's "Insert image" button.
Moreover, the message you are receiving comes from Joomla itself, not Admin Tools. It's the standard "access denied" message it displays when the anti-CSRF token in a request is invalid. JCE does, indeed, pass the anti-CSRF token in the request it makes to fetch the popup's content, which is a URL like this:
https://www.example.com/index.php?option=com_jce&task=plugin.display&plugin=imagepro&60a0856990a67b73ce1be1b544e2bc60=1&context=363&profile_id=1
The bold and underlined part is Joomla's anti-CSRF token.
I suspect that your problem may have to do with caching. Disable Joomla's caching in Global Configuration, and disable the "System - Page Cache" plugin as well. If you are behind a CDN such as CloudFlare make sure to add an exception for all URLs which contain option=com_jce& in them to prevent it caching the wrong editor content (including error results).
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Thanks a lot Nicholas. The support is excellent! Always fast and detailed, although this is not related to your extensions.
The cache plugins and the the global settings for cachin were not enabled in the past, therefore it is not related. We didn't use CDN for this staging envrionment, so it is most likely not related either. However it is good to know that Admin Tools won't block such access. We will continue to investigate the problems.
Thank you.
You're welcome!
If you want to be 100% sure it's not anything I may have missed, and even though I did try reproducing your exact issue on two different sites of mine, you can try two more things.
First, you can try disabling the System - Admin Tools plugin (first, go to Admin Tools' Configure WAF and set Defend against plugin deactivation to No). If the problem is reproducible, Admin Tools' Web Application Firewall had no effect on it.
The other thing to try is to replace the contents of your .htaccess file with those of the htaccess.txt file shipped with Joomla. If the problem is still reproducible it's not a .htaccess issue either.
If you have done these and already know it's neither caching not a CDN the only thing that's left is server configuration, or a third party plugin doing something weird.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Thanks a lot Nicholas! Your reply is always impressively detailed! You must love helping people! I have never seen support as good as this in my 16 years of life. That is why we really feel comfortable to work wtih your brand and use all the pro versions you developed. The feeling is very good and confident!
I did try the 2 suggestions too. For disabling the System - Admin Tools plugin, I could not disable it. I always got this error when I tried to save:
https://mrkr.io/s/66318a8780f97406809bf4bc/0
and therefore I got the permission denied message when I tried to disable the plugin. When I go back to the WAF setting, I could see that the option Defend against plugin deactivation was set to No even if I got the error when I tried to save the configuration, but I could not disable the plugin.
Then I went to Manage Extensions, and disabled everything related to Admin Tools. It seems that I could disable all the extensions here, but maybe the plugin is different and it is still working hard to protect the website.
For #2, I did try the original .htaccess file shipped with Joomla and it causes no differences.
After talking to the server provider for weeks, it seems that we cannot get this resolved still.
We just try to create a login menu on another different Joomla website, and it seems that we will get the same problem, and the same issue comes up even if we changed the website to another hosting server. Interestingly, this is not related to the editor itself. If we just login at the frontend, and close the window then try to visit frontend again, we will immediately get the 403 permission denied issues, which will not disappear until we clear our browsing history.
Do you have a clue what might happen and how to fix such an issue?
Thank you.
Thank you very much for your kind words! They really do mean a lot and made my day :) I do, indeed, love helping people. That's why I became a Free and Open Source Software developer. The hours suck, the pay sucks, but I get to help people without some legal cover-your-butt corporate policy getting in my way.
To disable the System - Admin Tools plugin we first need to turn off its self-defense mechanism. Go to Components, Admin Tools, Web Application Firewall, Configure WAF, and set "Defend against plugin deactivation" to No. Then, click on Save in the toolbar. You can now disable the plugin just fine. Please let me know if you can reproduce the same issue with the plugin disabled.
Also, are you using Joomla's Multi-factor Authentication for your user account?
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Thank you for sharing your thoughts. Yes working for as an Open Source Software developer means lots of contributionis without returns. Many people do but only very few people dedicated and love their work and helping others. The top 0.1% of open source developers like you made the Internet better, created jobs and opportunities for others, and therefore you deserve the best recognitions. The Joomla community is lucky to have you. Just can't imagine how the world will be without Akeeba Backup and Admin Tools.
For Admin Tools, I found that option but could not save my changes due to the error "Invalid field: Permanently disallow IP after this many automatic blocks", as shown in this screenshot:
https://mrkr.io/s/66318a8780f97406809bf4bc/0
I checked every single settings and could not find which field is responsible for that. Therefore I could not disable the WAF for another test.
Thank you.
That field is in the Auto-ban tab.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Thank you. It seems that I could not save and deactivate the plugin, no matter what I entered for that field, as shown here:
https://mrkr.io/s/6633f45092b5bccc02631a85/0
Thank you.
In the Auto-Ban tab scroll a bit further down than what you showed on your screenshot.
Set Add persistent offenders to the IP Disallow List to Yes
You will now see the Permanently disallow IP after this many automatic blocks field. Enter the value 3
Now set Add persistent offenders to the IP Disallow List to No
Click on Save
It should now save just fine and you can go back to change "Defend against plugin deactivation" to No
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.
Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!