Buy Now
Sign in

Problem with C4 and password protected admin-area

PePa , January 27 at 16:24
P
PePa

Hi there,
first of all thanx for the great ChronoEngine-components and stuff, great tools that i like to use since some time on all my joomly sites.

I am using latest joomla 3.6.5 and chronoforms 4.1. and I created some forms with it, usual stuff (nothing special like contact or order-forms) with included captcha.

Apart from that i have password protected my admin-area inside the folders with htaccess- and htpasswd-files so none can access directly from outside with out that.

Now my problem is the following: everythime a user tries to access my forms from the frontend joomla askes him for entering a password, even if the linked form or anything else from the menu is set to "public" in joomla3, no password attempt should occur normally!

I´ve read about what could be the problem, crawled thru the forum here but no relaying answer found.
Only answer which i found was in the Akeeba-forums (i am using Akeeba Admin-Tools as well), was the suggestion that if this error occurs supposedly any component or whatever seeks inside the administrator-folders for some files like css, php or image-files. Could this be true?

So what happens is: i cannot protect my admin area with a password, otherwise chronoforms is asking for a password with whatever form beeing used, which wouldndt be needed with a simple contact form at all.
If i switch off pw-protection from the admin-area everything works fine ... no pw-attempt pops up.

I already tried to enter something like this into my htaccess-files in the admin area to allow access to the chronoforms-folders:

				## Allow Allow com_chronoforms
RewriteEngine On
RewriteRule ^administrator/components/com_chronoforms\.php$ - [L]

Order Deny,Allow
<Files administrator/components/com_chronoforms/*.*>
Allow from all
</Files>

but that didnt help, still the pw-attempt pops up...

So what should / could i do to workaround this problem?
Any suggestuions from your side?

Thanks for your time and help, greatly apprechiated!!
Peter

GreyHead

Hi Peter,

I think that you are on the right track, and you need to grant permission to the /administrator/components/com_chronoforms/ folder.

I'm not expert in .htaccess files though and can't tell you want you need to add. It may be that an .htaccess file in that folder will do what you need???

Bob

ChronoForms technical support
If you'd like to buy me a coffee or two, thank you very much

P
PePa

Hi Bob,

thanx for your reply.

Well, regrettably the htaccess file in the main admin-folder didnt do the job for me. I was hoping that YOU were the one to tell me what the problem was and how could it be located as what.

The problem is that opening up access-rights for the admin area opens up a security risk for the whole website at the same time, as hackers might attempt to work around that area whenever possible.
So i wonder a bit why C4 is wanting to access the admin area at all for showing a form that is supposed to be put together from content (php-)files out of the public "component"-folder, not the admin ones...

I will again try out to put some more dedicated htaccess file in the chronofroms folder inside the admin/components.
But as mentioned before usually this is not the case to do so for security reasons, also other extensions don´t access this area except for the real admin functions inside the backend not for frontend-functions. But I will try out and let you know the results of my tests.

Thanks, Peter

GreyHead

Hi Peter,

Unfortunately no, the custom security settings that you have made mean that you have to manage the consequences :-(

ChronoForms v4 has some files that are used in both the front and back end and those need to be accessible from the front-end for it to work correctly. As I've said before, I believe that other users have solved this by adding local permissions to the chronoforms folder.

Bob

ChronoForms technical support
If you'd like to buy me a coffee or two, thank you very much

P
PePa

Ok, thanks so far. I will give it another try.

Usually other extensions dont do or need that to access the admin area, as said it would open up security riscs or the admin area.
Maybe this could be an idea for future releases of C4 to change that for more security?

Peter

GreyHead

Hi Peter,

I doubt if it will be changed in CFv4 - CFv5 has a different structure with the shared files in a library if you want to use that instead.

Bob

ChronoForms technical support
If you'd like to buy me a coffee or two, thank you very much

P
PePa

Hi Bob,
thanks for your time.

Well, already tried CFv5 (in an offline enviroment just to try) and have to say it wasnt so bad either ... except the fact that it doesnt read my CFv4-forms anymore.

Sure it is a different structure as you say ... but something like a "Transform" function of old forms would have been great.
At least when i tried to load my old forms it refused to read it ... saying their old CFv4. Well.

To re-build a lot of forms for about 4 websites aint no fun as you might imagine, thats why i sticked to CFv4 up to this day. I am running my websites (private sites and a musicians community) all in my spare time, so i am happy enough they´re up and running well. So i better spent time in creating new content than rebuilding like around 15 forms from scratch...

Anyway, thanks. I will try the check with special folder rights hoping that this will solve my prob. I´ll be back with you as soon as i know about it.

Again, thanks,
Peter

GreyHead

Hi Peter,

That's fine, by all means stay with CFv4; it was just a suggestion to get round your security concerns.

Bob

ChronoForms technical support
If you'd like to buy me a coffee or two, thank you very much