Support

This shows up after SOME visitors select a value in a select element of a form (number of tickets) but NOT for all visitors. I can only make it happen from any of my home systems (Windows - Wifi, Android Wifi or Cellular) if I use the Opera browser and its free VPN to change my location to Europe, Asia, or North America. Other visitors are NOT using a VPN but this problem crops up.

The user is presented with a popup that says: 

peacecoalition.org says error

or

test.peacecoalition.org says error

I don't know whether that popup is coming from Joomla core, Admin Tools, or the extension "Events Booking", which is where the form comes from.

you should be able to reproduce the problem by going to

https://test.peacecoalition.org/june-9-event-test 

and simply choosing a value for the number of tickets.

I am attaching screenshots which I hope will be easier to understand than my verbal descriptions. 

I am also attaching a screenshot of what I got when I entered 
https://test.peacecoalition.org/index.php?option=com_eventbooking&task=register.calculate_individual_registration_fee&Itemid=

in the browser address field - in Chrome, so NO VPN involved.  

Any light you might be able to shed on this issue would be appreciated.

thank you.

Nicholas - Thank you for the rapid and instructive reply. I have followed your advice - I sent your analysis to the developers of Event Booking and I disabled f the "Block Suspicious Core Parameters" feature in WAF in Admin Tools - I hope the Event Booking developers can fix their issue soon so I can turn that back on.

However - I found that when I saved that change, I got a message saying there was a problem saving the WAF parameters.

There were errors trying to save the Web Application Firewall's configuration.

When I re-examined WAF, it shows that option is disabled and the value I see for that option in the db is '0', so it seems to be disabled.

I am seeing this line in the administrator/logs/akeeba_runPluginsTrait.php file. It seems to occur every time I save the WAF configuration. 

2024-04-26T12:59:22+00:00 Event "onComAdmintoolsDispatcherAfterDispatch" resolved to class Joomla\Event\Event -- called from Akeeba\Component\AdminTools\Administrator\Dispatcher\Dispatcher->triggerPluginEvent at [ROOT]/administrator/components/com_admintools/src/Mixin/TriggerEventTrait.php line 75

In any case, disabling the option  "Block Suspicious Core Parameters" doesn't fix the problem at all. I still get the popup (which I guess is not from Admin Tools) and the ticket cost is not calculated in the form. 

The central issue seems to be that some visitors at some locations get this error and some do not. Is there anything in the Joomla Core that you can think of that might explain how that might happen? I'm asking based on your extensive experience - I don't think the problem is based on anything to do with Admin Tools - but clearly Admin Tools was detecting that 'Suspicious Core Parameter".  I'm thinking that you've seen just about every kind of weird error that can possibly occur and I'm hoping you might be reminded of some past encounter with an error like this one - and can explain how this Event Booking form can work fine for some visitors and not for other visitors... my best guess is that it is based upon how a visitor is connected to the internet and what domain that are being assigned by the internet service provider. However, I am at a total loss as far as how to fix this problem and why we've never encountered it before during the years that this site has been using this extension.

There were errors trying to save the Web Application Firewall's configuration.

You have some settings which are invalid. Nothing was actually saved. Please check all of the settings which have a subform such as lists of IP exceptions, lists of allowed domain names etc. If there are empty lines, remove them.

As far as I can tell none of the values I'd entered were invalid. I first got this message when I enabled "Block Suspicious Core Parameters". When I got out of Admin tools and returned to it that option was displayed as enabled.  I hadn't modified anything else - but I have checked all "the lists of IP exceptions, lists of allowed domain names etc." and I don't see any blank lines. I have also downloaded your new version of Admin Tools Professional 7.5.3 - and 

a) the original issue went away - at least as far as I can test right now. It only appeared for me when I used the Opera VPN to access the site - from Europe, Asia, or "North America" and with the update to Admin Tools, I don't see the problem.

b) Admin Tools is now complaining that my 3 letter secret url parameter is bad - it now has to be 4 characters minimum... which I thought was new - at least I'd not noticed it before. I went back to my test site test.peacecoalition.org that is running Admin Tools Professional 7.4.9 and the same message does appear but since it is in a yellow box, I guess I didn't pay much attention to it. I would think the 3 letter secret url parameter was probably causing the message to appear  The same yellow boxed message still appears under the field for the secret url parameter even if the secret url param is 4 lowercase letters (as mine is). I think you would agree that it would be better to have that message NOT appear UNLESS there IS a problem with the secret url parameter and that it should clearly indicate what is wrong with the secret url param if there is something wrong with it - too short, too long, beings with dash or underline, contains invalid chars, etc.

It would be really great to know why the problem did NOT occur when I accessed the test page from my home - regardless of whether I used Wifi or Cellular to access the internet, but it DID occur when I used my Android phone to access the site using either a nearby coffee shop Wifi  or cellular service to access the test page. That's one of the devices that had NO problem with the page from my home.  And why the problem appeared when I accessed the test page using Opera WITH VPN (and NOT Opera WITHOUT VPN) - and for the client testing in New Jersey and my daughter testing from about 10 miles from my home and for my son testing from outside Chicago.  IT all seems a bit eerie to me.

The popup is a JavaScript alert. We don't use that in our Admin Tools code.

I'm glad to know that wasn't one of your alerts. It didn't seem to be your style and it seemed very unlikely to me that Admin Tools would generate such a useless message. But I had to ask.

But I am delighted that we can proceed from here to start registrations for this upcoming (June 9) event.

Thank you for sticking with it even if it didn't and still doesn't make any sense.

Dave Ascher

I wrote: 

I think you would agree that it would be better to have that message NOT appear UNLESS there IS a problem with the secret url parameter and that it should clearly indicate what is wrong with the secret url param if there is something wrong with it - too short, too long, beings with dash or underline, contains invalid chars, etc.

And you wrote in reply:

No, this is an important piece of information and we need to grab your attention to it. The message reads "The Administrator Secret URL Parameter can only consist of lowercase and uppercase latin letters without accents or diacritics (a-z and A-Z), numbers 0-9, dashes, and underscores. The first character cannot be a dash or underscore. It must be 4 to 64 characters long". Giving the password requirements to a user entering a password is a courtesy.

 

Which made me think that there was a failure of communication. I was referring to that yellow box with the very helpful information about the requirements for "The Administrator Secret URL Parameter" (" TASUP", in brief) appearing in the Admin Tools backend. It doesn't (at least on my sites) appear when a user is entering a password (which your last sentence seems to at least imply).

It ALWAYS appears in the WAF configuration Basic Settings tab directly beneath the TASUP field regardless of whether or not the current TASUP meets the requirements. The fact that it does ALWAYS appear makes it more likely to not be noticed when it should be noticed. I can understand that adding a bit of code to explicitly describe why an entered TASUP fails to meet the requirements may not be the sexiest piece of code to write, but I am willing to predict that you will have more inquiries and complaints about this over the next year or so if you do not add code to do that than if you do add code that informs the administrator that their TASUP is shorter than the required 4 characters, longer than the allowed 64 chars, contains chars "other than A-Z, a-z, 0-9, or _ or -" - or even better which disallowed characters it contains. 

It would also have been very helpful to know that the reason the parameters "could not be saved"  (even though the parameter I was modifying ("Suspicious Core Parameter") and upon which I was focused was just fine (I'd changed it from "disabled" to "enabled") and was apparently saved as I'd set it because it showed up as enabled when I re-opened the Basic Settings tab later - that there was a problem specifically with the TASUP parameter due to the change in the requirements of the length and content of the TASUP.  The yellow box would then have appeared more relevant to me - even though it didn't clearly specify exactly what was "wrong"  with the TASUP value that the site has used for almost five years. Interestingly, the code's failure to clarify the issue of the 'bad' TASUP left the old (bad) TASUP in place in the database. Miraculaously, the three character TASUP we'd been using continued to work despite it not meeting the changed requirements for at least four characters. 

I know this is a small issue - and other than my wasting some of my time, that could have been spent much more productively, no serious harm was done by this suboptimal bit of user interface. I hesitate to suggest that you add my suggestions above to your wish list for future versions of Admin Tools as your depth and breadth of knowledge about Joomla and its in and outs is remarkable and probably matched by very very few if any other developers of either the Joomla core or other extensions - and my expertise (such as it is) can probably best be described as 'hanging on as well as I can as the environment in which I do my work keeps changing somewhat - to me - mysteriously".  I'm not afraid to dive into some PHP code or on occasion JavaScript (we don't have to call it ECMA anymore do we?) but as things become more 'object oriented' it becomes more and more difficult to follow the flow of any Joomla request - at least without a much more in-depth understanding of what does what, when in the core vs. in an extension and what does what in the helper code (of which their seems to have been an explosion since Joomla 4).

I'm not a Joomla developer nor a Joomla extension developer, but after almost 15 years of working on a few Joomla sites, it seems to me that as the flexibility and reliability of the CMS has increased dramatically, the promise that Joomla (and the extensions) "take care of everything" and a site administrator " doesn't need coding skills") has become somewhat less true. The learning curve for an administrator to create a 'useful' site seems to me to have become considerably steeper - maybe "flexibility"  just requires that to be the case.

The point is that somebody who is focused primarily upon the content and to some extent, upon the esthetics (usually a 'mamager" but sometimes a "manager" also working with or even as an "administrator" , has their hands full with such things, leaving very little if any energy left to carefully read every word of every extension's documentation, some of which is often not up to date (not yours), but changes in the documentation and operation of the extension (and the core) are not highlighted to attract the attention of those who need that information. 

Admin Tools and Akeeba Backup are both outstanding in terms of their capabilities and - I cannot imagine how any Joomla site would dare to go live without using both of them. Howver, as their functions increase, without clear descriptions of user (admin) errors committed during the configuration process, it will become more and more difficult for people to configure them properly to use the features that they want to use

Sorry for the tirade. Please keep doing the right things.

Dave Ascher 

PS - I have heard from my son in Chicago and my daughter about 10 miles from my home that the problem that they had previously encountered (the useless alert and the failure of the form to continue processing) has been fixed - at least for now.

I don't suppose you and Tuan of Event Management could discuss the root issue that might have caused this problem originally? I mean that whole business of it working just fine for me when I was at home, using either WiFi or Cellular, and that it failed for me only if I used the Opera VPN OR if I used WiFi or Cellular from the coffeeshop - and for anybody who'd used it outside my home. Very weird. I will ask him about whether Event Booking uses location services - but I'd be very surprised if it did. 

I hadn't realized how much of the processing of these backend forms is handled by Joomla and not by your extension. I understand your frustration. To whom would you suggest I direct my own displeasure about the inadequacy of Joomla's form validation?  It seems that simply posting on a Joomla forum would be insufficient - and my own knowledge of how Joomla's form validation works is between thin and non-existent. 

If folks like me are don't know which services like that are provided by Joomla and which by extension developers it makes it somewhat tricky to figure out where to complain. 

Suggestions?