I can't seem to figure out what is wrong with the Super Administrator accounts on both my test and live sites (<!-- w --><a class="postlink" href="http://www.shannonsdelights.com">www.shannonsdelights.com</a><!-- w -->). I uninstalled a couple of modules consecutively and when I went to user manager, Super Administrator wasn't showing up. All the tables that refer to users look correct, and the Super Administrator is listed in the DB.
Anyone have any ideas what i can check quickly or what I can do to create another Super Administrator???
Thanks,
TokenRing
Anyone have any ideas what i can check quickly or what I can do to create another Super Administrator???
Thanks,
TokenRing
Hi Tokenring,
My first suspicion would be that one or more ACO or ARO records are damaged or missing. These are the records that actually tie a user to a set of privileges, and if missing, tend to break some SQL-queries in the user manager.
I'll see if I can't craft a set of demo-records for you to compare with, once I get back home this evening..
/Fredrik
My first suspicion would be that one or more ACO or ARO records are damaged or missing. These are the records that actually tie a user to a set of privileges, and if missing, tend to break some SQL-queries in the user manager.
I'll see if I can't craft a set of demo-records for you to compare with, once I get back home this evening..
/Fredrik
Hi again,
The records, along with comments:
Here, we first have an ARO object for our user (there should be one for each user). This is used to link the actual user account into the ACL system. The id should be unique, and the value should contain the User-ID. Section should be 'users', as this is an ARO object for a user.
Next, we have the ARO Group objects. Unless you have extended your system, there should be 11 records, one for each Usergroup. The group_id is the Group ID, and for Super Administrator this should be 25, as this is hardcoded within both Joomla and many different extensions.
The parent_id is used when building the Tree-like list of groups, as seen in the Account manager, in this case, Super Administrator is shown under the Administrator group (which has id 24).
The lft and rgt fields are used for ordering, and are not linked to the ID's.
Further, we have the ARO Section object. This list the different sections (or kind) of ARO objects. In your standard Joomla site, there would only be the 'users' section, used for user accounts.
Finally, where the magic happens, we have the ARO Map. This is responsible for linking the ARO object with the ARO Group object. The group_id should point to the id in #__core_acl_aro_groups for the group the user belongs to; in this case 25 (Super Administrator). The aro_id should then point to the unique ARO object for the user, in this case it's 10 (from #__core_acl_aro.id for user 62). The section_value should be empty.
In essence, there should be one record in #__core_acl_aro and one record in #__core_acl_groups_aro_map for each user account.
/Fredrik
Edit: mis-typed #__core_acl_groups_aro_map
The records, along with comments:
#__core_acl_aro:
//Maps a User ID to an ARO object; This is the Admin
id: 10 //Auto-Increment
section_value: users //users
value: 62 //UID
order_value: 0
name: Admin //Name from #__users
hidden: 0
#__core_acl_aro_groups:
//Lists the different groups; Super Administrator is:
id: 25
parent_id: 24
name: "Super Administrator"
lft: 18
rgt: 19
value: "Super Administrator"
#__core_acl_aro_sections:
id: 10
value: "users"
order_value: 1
name: "Users"
hidden: 0
#__core_acl_groups_aro_map:
//Maps an ARO object to an ARO-Group object
group_id: 25
section_value: ""
aro_id: 10Here, we first have an ARO object for our user (there should be one for each user). This is used to link the actual user account into the ACL system. The id should be unique, and the value should contain the User-ID. Section should be 'users', as this is an ARO object for a user.
Next, we have the ARO Group objects. Unless you have extended your system, there should be 11 records, one for each Usergroup. The group_id is the Group ID, and for Super Administrator this should be 25, as this is hardcoded within both Joomla and many different extensions.
The parent_id is used when building the Tree-like list of groups, as seen in the Account manager, in this case, Super Administrator is shown under the Administrator group (which has id 24).
The lft and rgt fields are used for ordering, and are not linked to the ID's.
Further, we have the ARO Section object. This list the different sections (or kind) of ARO objects. In your standard Joomla site, there would only be the 'users' section, used for user accounts.
Finally, where the magic happens, we have the ARO Map. This is responsible for linking the ARO object with the ARO Group object. The group_id should point to the id in #__core_acl_aro_groups for the group the user belongs to; in this case 25 (Super Administrator). The aro_id should then point to the unique ARO object for the user, in this case it's 10 (from #__core_acl_aro.id for user 62). The section_value should be empty.
In essence, there should be one record in #__core_acl_aro and one record in #__core_acl_groups_aro_map for each user account.
/Fredrik
Edit: mis-typed #__core_acl_groups_aro_map
wow - this is amazing! Thanks so much Fredrick. I'll look into this when I get home today. I really really appreciate how fast you got back to you. Your response was quicker and more elaborate than the one I got a Joomla.org.
Aaron
Aaron
Okay! I think I may have found something wrong and I've gained some knowledge about these tables. I'll post my results and some thoughts.
In the meantime, before a Joomla Component, Module and/or Plugin is posted on JED... what gates/tests do they go through first?
Aaron
In the meantime, before a Joomla Component, Module and/or Plugin is posted on JED... what gates/tests do they go through first?
Aaron
Hi,
Here is a comparison of my missing super administrator account:
core_acl_aro
10 users 62 0 Administrator 0
core_acl_aro_groups (11 records)
25 24 Super Administrator 16 17 Super Administrator
core_acl_aro_sections
10 users 1 Users 0
and my working administrator:
core_acl_aro
11 users 63 0 super duper 0
core_acl_aro_groups (11 records)
24 23 Administrator 15 18 Administrator
core_acl_aro_sections
10 users 1 Users 0
I actually thought that I noticed something but I was wrong. I was even confusing myself because of the name I gave the "Administrator" account.
Aaron
Here is a comparison of my missing super administrator account:
core_acl_aro
10 users 62 0 Administrator 0
core_acl_aro_groups (11 records)
25 24 Super Administrator 16 17 Super Administrator
core_acl_aro_sections
10 users 1 Users 0
and my working administrator:
core_acl_aro
11 users 63 0 super duper 0
core_acl_aro_groups (11 records)
24 23 Administrator 15 18 Administrator
core_acl_aro_sections
10 users 1 Users 0
I actually thought that I noticed something but I was wrong. I was even confusing myself because of the name I gave the "Administrator" account.
Aaron
Hi Aaron,
What about the records in the #__core_acl_groups_aro_map? Without thes records, there is no link between the user ARO record and the group ARO record.
/Fredrik
What about the records in the #__core_acl_groups_aro_map? Without thes records, there is no link between the user ARO record and the group ARO record.
/Fredrik
actually I was looking at the wrong table before (core_acl_aro_map) and thought the information wasn't valuable. Now looking in core_acl_groups_aro_map i see
groupID aroID
23 12
24 11
25 10
so...
core_acl_aro
10 users 62 0 Administrator 0
core_acl_aro_groups (11 records)
25 24 Super Administrator 16 17 Super Administrator
core_acl_aro_sections
10 users 1 Users 0
I think I see the problem. Before I guess incorrectly, let me just make sure.
Aaron
groupID aroID
23 12
24 11
25 10
so...
core_acl_aro
10 users 62 0 Administrator 0
core_acl_aro_groups (11 records)
25 24 Super Administrator 16 17 Super Administrator
core_acl_aro_sections
10 users 1 Users 0
I think I see the problem. Before I guess incorrectly, let me just make sure.
Aaron
[attachment=0]acl_aro.JPG[/attachment]
everything looks ok to me... but I"m still looking.
Aaron
everything looks ok to me... but I"m still looking.
Aaron
Hmm...
That does indeed look proper.
Could you run this query in phpmyadmin or similar?
That is pretty much the query used by Joomla to get the list of user accounts from within the account manager. If the super administrator record shows up in the result, then your DB records should be in order.
/Fredrik
That does indeed look proper.
Could you run this query in phpmyadmin or similar?
SELECT a.*, g.name AS groupname
FROM jos_users AS a
INNER JOIN jos_core_acl_aro AS aro ON aro.value = a.id
INNER JOIN jos_core_acl_groups_aro_map AS gm ON gm.aro_id = aro.id
INNER JOIN jos_core_acl_aro_groups AS g ON g.id = gm.group_id
GROUP BY a.id
ORDER BY a.nameThat is pretty much the query used by Joomla to get the list of user accounts from within the account manager. If the super administrator record shows up in the result, then your DB records should be in order.
/Fredrik
'k, then your DB records are properly linked, and to be honest I'm running low on ideas..
Are you using any usergroup or access extensions such as NoixACL on your system?
Also, when logged in on your admin site, can you manually access the user edit page for your super administrator? The URL should be http://www.example.com/administrator/index.php?option=com_users&view=user&task=edit&cid[]=62
If you can open it, try editing the username or similar, then save. Since we're editing a super administrator, you'll have to be logged on as one as well (if you can, login as the super administrator account).
/Fredrik
Are you using any usergroup or access extensions such as NoixACL on your system?
Also, when logged in on your admin site, can you manually access the user edit page for your super administrator? The URL should be http://www.example.com/administrator/index.php?option=com_users&view=user&task=edit&cid[]=62
If you can open it, try editing the username or similar, then save. Since we're editing a super administrator, you'll have to be logged on as one as well (if you can, login as the super administrator account).
/Fredrik
Hey Fredrick,
I'm not using any usergroup or access extensions. All of the modules, components and plugins that I've installed are listed in this thread. I've only done about 12. Take a look at the list and let me know.
so when I'm logged in, I can get to that URL. Everything looks fine, except for the "user editor" for the Super Administrator as it is set to *none*. I think I know what it is... brb.
I'm not using any usergroup or access extensions. All of the modules, components and plugins that I've installed are listed in this thread. I've only done about 12. Take a look at the list and let me know.
so when I'm logged in, I can get to that URL. Everything looks fine, except for the "user editor" for the Super Administrator as it is set to *none*. I think I know what it is... brb.
Hey Fredrick,
K, here we go. I have installed the following modules, components and plugins on the site.
mod_briaskiss
mod_easyadsense
mod_fisheye
mod_mainmenu
mod_random_image_plus
mod_slideshow_pro
com_chronoforms
com_favicon
plg_ie_compatibility_1.1
plg_editor_switcher
plg_fboxbot
plg_idoeditor
plg_jsecure
plg_rokbox
plg_SEOsimple
plg_shadowbox
plg_jsecure
and I think/believe that the ones that I put in bold are the culprit. These are the plugins that I was working with (configuration/enable/disable) when I noticed the error.
I am able to get to that URL you gave me, however if I attempt to change anything for the Super Administrator, I see the following:
You cannot edit a super administrator account
I noticed that the Super Administrator account has nothing set (editor, language, timezone). Would having the *editor* field not set do that?
Another question I have is, how am I able to get to that URL when I have jsecure plugin installed which adds a folder to the path for the admin account? Somehow we bypassed it. I should let jesure know this, unless I'm completely wrong here. you shouldn't be able to use a direct link.
I might uninstall both of those bolded plugins now unless you tell me otherwise.
Aaron
K, here we go. I have installed the following modules, components and plugins on the site.
mod_briaskiss
mod_easyadsense
mod_fisheye
mod_mainmenu
mod_random_image_plus
mod_slideshow_pro
com_chronoforms
com_favicon
plg_ie_compatibility_1.1
plg_editor_switcher
plg_fboxbot
plg_idoeditor
plg_jsecure
plg_rokbox
plg_SEOsimple
plg_shadowbox
plg_jsecure
and I think/believe that the ones that I put in bold are the culprit. These are the plugins that I was working with (configuration/enable/disable) when I noticed the error.
I am able to get to that URL you gave me, however if I attempt to change anything for the Super Administrator, I see the following:
You cannot edit a super administrator account
I noticed that the Super Administrator account has nothing set (editor, language, timezone). Would having the *editor* field not set do that?
Another question I have is, how am I able to get to that URL when I have jsecure plugin installed which adds a folder to the path for the admin account? Somehow we bypassed it. I should let jesure know this, unless I'm completely wrong here. you shouldn't be able to use a direct link.
I might uninstall both of those bolded plugins now unless you tell me otherwise.
Aaron
I ran the insert query http://docs.joomla.org/How_do_you_recover_your_admin_password%3F on the DB and it did create the *admin2* Super Administrator account successfully. I was able to login to the front-end and back-end with the new account. I then navigated to the user manager and I was able to now see the *administrator* account (Super Administrator). I was even now able to login to the front-end and back-end with this account.
So somehow in creating the new Super Administrator account through MySQL, it restored the other user account.
Another symptom I am still experiencing is that I can't see some menu items in the back-end. For instance, I still can't see
Template Manager.
Thanks for all the help.
Aaron
So somehow in creating the new Super Administrator account through MySQL, it restored the other user account.
Another symptom I am still experiencing is that I can't see some menu items in the back-end. For instance, I still can't see
Template Manager.
Thanks for all the help.
Aaron
Hi Aaron,
Lets see.. I havn't used the JSecure plugin myself, but reading the description from the JED, it would only protect the login-page.
plg_idoeditor & plg_editor_switcher: I can't see anything in the source that would interfere with the user manager at all. Both are Editor plugins, and are very unlikely to interfere with the user manager. We'd rather be looking for some system or user plugin that might interfere.
The error regarding "You cannot edit a super administrator account" is because your other admin account is not a super administrator, just a normal administrator.
--- Update:
Now that's very interresting. That query should not touch the existing super administrator account at all. Could it be you've got some plugin that "hides" super administrator accounts from anyone but super administrators?
Missing Menu Items:
The Template Manager is added through the modMenuHelper::buildMenu() method, and will only add this link if the currently logged in user has access to the 'com_installer' section 'module' value and 'com_templates' section 'manage' value ACO's (Access Control Objects). These rules are hardcoded in the JAuthorization class, and short story, requires group membership "super administrator" (having the usertype field in #__users set to "Super Administrator".
So... Step one, doublecheck the #__users records that your admin accounts have the usertype exactly set to "Super Administrator"
Step two (if step one did not solve this issue), try restoring /libraries/joomla/user/authorization.php from a fresh download off joomla.org
/Fredrik
Lets see.. I havn't used the JSecure plugin myself, but reading the description from the JED, it would only protect the login-page.
plg_idoeditor & plg_editor_switcher: I can't see anything in the source that would interfere with the user manager at all. Both are Editor plugins, and are very unlikely to interfere with the user manager. We'd rather be looking for some system or user plugin that might interfere.
The error regarding "You cannot edit a super administrator account" is because your other admin account is not a super administrator, just a normal administrator.
--- Update:
Now that's very interresting. That query should not touch the existing super administrator account at all. Could it be you've got some plugin that "hides" super administrator accounts from anyone but super administrators?
Missing Menu Items:
The Template Manager is added through the modMenuHelper::buildMenu() method, and will only add this link if the currently logged in user has access to the 'com_installer' section 'module' value and 'com_templates' section 'manage' value ACO's (Access Control Objects). These rules are hardcoded in the JAuthorization class, and short story, requires group membership "super administrator" (having the usertype field in #__users set to "Super Administrator".
So... Step one, doublecheck the #__users records that your admin accounts have the usertype exactly set to "Super Administrator"
Step two (if step one did not solve this issue), try restoring /libraries/joomla/user/authorization.php from a fresh download off joomla.org
/Fredrik
K, I'll check this stuff out tonight (FREDRICK - you are the best) for sure and I actually can't wait to do it.
There was this one system plugin that I disabled/uninstalled and I can't find it. I had the publisher's site, but I couldn't find it or it wasn't listed on his site. Let me see what I can remember and I will post it after lunch.
all of this publishers plugins/modules have the prefix No! or something like that. It will come to me... just give me a bit.
Aaron
There was this one system plugin that I disabled/uninstalled and I can't find it. I had the publisher's site, but I couldn't find it or it wasn't listed on his site. Let me see what I can remember and I will post it after lunch.
all of this publishers plugins/modules have the prefix No! or something like that. It will come to me... just give me a bit.
Aaron
well that query must have touched something with the *administrator* account, because it was enabled, viewable and usable as soon as I ran the insert. Also, when I login to the back-end now as the normal Administrator I am able to see ALL users in the User Manager. I guess that means there isn't that plugin you mentioned to restrict the view of the Super Administrator group/users from a normal administrator.
Also, this user was available and viewable when all of these plugins were installed and enabled. It was the disabling or uninstalling of a plugin that did this.
I think it was the cache plugin that did it, but that is obviously wrong. I went to http://www.joomlahostingreviews.com/guides/core-joomla-plugins-explained.html which shows all the default plugins native to Joomla which reminded me of the cache plugin. I'm lost????
Aaron
Also, this user was available and viewable when all of these plugins were installed and enabled. It was the disabling or uninstalling of a plugin that did this.
I think it was the cache plugin that did it, but that is obviously wrong. I went to http://www.joomlahostingreviews.com/guides/core-joomla-plugins-explained.html which shows all the default plugins native to Joomla which reminded me of the cache plugin. I'm lost????
Aaron
I just disabled those 2 plugins (editor and the switcher) and now both of those Super Administator accounts are gone from User Manager and are not able to be logged in. Now I will have to run that insert again and create a 3rd Super Administrator.
This is crazy. Fredrik can you PM me when you get a chance?
Thanks,
Aaron
This is crazy. Fredrik can you PM me when you get a chance?
Thanks,
Aaron
k, well in troubleshooting a bit yesterday I seemed to have caused the "unable to login with the SA" account to go away. I know from above that I wasn't able to see the account in the User Manager because I was only logged in as an *administrator* user and you can't see users with permissions higher than which you are currently logged in as.
I had to disable/all extra plugins that i've installed since the base installation. I'll still post some screenshots. Thanks for the help so far and hopefully you'll be able to see something from my pictures.
Aaron
I had to disable/all extra plugins that i've installed since the base installation. I'll still post some screenshots. Thanks for the help so far and hopefully you'll be able to see something from my pictures.
Aaron
This topic is locked and no more replies can be posted.
