Forums

You don't have permission to access /administrator/index.php

jhainsworth 16 Feb, 2012
I have been testing v4 on j17 on my local sandbox.

I installed it on my hosted production server, then export my forms from the local version and imported them into production.

Now whenever I try to make a change to any form on production I get this error...

You don't have permission to access /administrator/index.php on this server.

This happens if I click save and close, save or cancel. I have no problem accessing /administrator/index.php on any other component.

I have tried changing the permissions on index.php, no difference.

I have tried making the recommended changes to .htaccess, do difference.

I really appreciate any assistance.

Thanks
Jeff.
GreyHead 16 Feb, 2012
Hi Jeff,

I sorry, I don't have any good suggestions :-(

It may be a problem with server security, we know that suhosin sometimes objects to the number of variables that ChronoForms submits but the error messages are different. Have you checked the server logs to see if there is anything more helpful there?

Bob
jhainsworth 18 Feb, 2012
GreyHead, thanks for the reply.

I am not sure what the error info in the log means, but I have included it below.

mod_security: Access denied with code 403. Pattern match "/etc/passwd|\\\\?|\\\\?|bin/perl|bin/[a-z]*sh|^ls$" at ARGS_VALUES("chronoaction[3][action_custom_code_3_content1]") [severity "EMERGENCY"] [hostname "www.mycbcc.org"] [uri "/administrator/index.php"] [unique_id "Tz794X8AAAEAAAVMTfk"]



Any help or pointers would be greatly appreciated.

Thanks
jhainsworth 18 Feb, 2012
This only seams to happen with list forms that use custom code to display the records.
GreyHead 18 Feb, 2012
Hi jhainsworth ,

The error message is from ModSecurity which is an security module on your server. At a guess your custom code included an input with the name 'passwd' and ModSecurity sees it at a possible threat so blocks it.

The best thing to do is probably to adjust the mod_security settings so that it will allow you to save your forms from the admin area without too much fuss.

Bob
jhainsworth 24 Feb, 2012
My code doesn't reference passwd anywhere in it.

These are all wizard forms, so must be comming from the genreated code.

The ISP will not change the security and I don't blame them, you just can't be to carefull with access to the passwd file on a Unix server.


BTW, these forms all run fine, it is only editing them that is an issue. So, I don't think it has anything to do with my code, but with the backend chronoforms edit code.


I have a clunky work-around in that I can edit them on my standalone joomla 1.7 instance on my laptop and then export the modified forms, copy the export up to the server and import. That sure is a lot to do for a simple update.
GreyHead 24 Feb, 2012
Hi jhainsworth,

It's up to you what solution you choose. I can only give you my two penn'orth.

Just to confirm though that ChronoForms doesn’t have 'passwd' anywhere in the code.

Bob
jhainsworth 24 Feb, 2012
Bob, I appreciate your help.

If neither code has passwd in it then I am totally confused by the message in the error log. This must be one of those times when the error message is simply misleading.

I will go back to the ISP again to see if they will help loosen the mod_security settings.


Thank goodness I still have my local system or I would be out of luck. A lot of extra work this way though.


Let me know if you have any other suggestions.

Thanks again for all the support you give to everyone on the forum!
GreyHead 24 Feb, 2012
Hi jhainsworth,

What code do you have in the Custom Code box in your form?

Bob
jhainsworth 24 Feb, 2012
Hi Bob,

I have about a dozen of these multi-record list forms. They all fail in the editor when I save or cancel.

Here is the code from one of them:

<?php foreach($form->data['Family'] as $head): ?>
<table>
<tr>
  <td rowspan=4 valign="top"><h3><?php echo $head['Given_Names'] . ' ' . $head['Family_Name']; ?></h3></td>
  <td rowspan=4>    </td>
  <td><h3><?php echo $head['HomeAddress1']; ?></h3></td>
  <td rowspan=4>    </td>
  <td rowspan=4><img src=<?php echo '"images/members/' . $head['FamilyImageFile'] . '"'; ?> width="175" height="175" /></td>
</tr>
<tr>
  <td><h3><?php echo $head['HomeAddress2']; ?></h3></td>
</tr>
<tr>
  <td><h3><?php echo $head['HomeAddressCity']; ?>, <?php echo $head['HomeAddressState']; ?>  <?php echo $head['HomeAddressZip']; ?></h3></td>
</tr>
<tr>
  <td><h3><?php echo $head['HomePhone']; ?></h3></td>
</tr>
</table>
<?php endforeach; ?>
<br>
<table>
<tr>
  <td><h3>Name</h3></td>
  <td>     </td>
  <td><h3>Cell Phone</h3></td>
  <td>     </td>
  <td><h3>Email</h3></td>
  <td>     </td>
  <td><h3> </h3></td>
</tr>
<?php foreach($form->data['FamilyMember'] as $detail): ?>
<tr>
  <td><h3><?php echo $detail['Full_Name']; ?></h3></td>
  <td>     </td>
  <td><h3><?php echo $detail['CellPhone']; ?></h3></td>
  <td>     </td>
  <td><h3><?php echo $detail['EmailAddress']; ?></h3></td>
  <td>     </td>
  <td><h3><a href="index.php?option=com_chronoforms&chronoform=ChurchMembersV&name=<?php echo $detail['Full_Name']; ?>">Details</h3></td>
</tr>
<?php endforeach; ?>
</table>


I have several add/update screens, that don't use any custom code they all save fine.
GreyHead 24 Feb, 2012
Hi jhainsworth,

I tried testing that with the regex in the error message and there doesn't seem to be a match. All a bit odd :-(

Bob
jhainsworth 24 Feb, 2012
Bob, I agree, very odd, that is why I thought it must be comming from some chronoforms backend code that I could not see. But you say there is nothing like that if CF, so I will turn it over to the isp and see what they say.

Thanks for looking at it though.
jhainsworth 25 Feb, 2012
I got the isp to whitelist index.php and everything works now.
GreyHead 25 Feb, 2012
Hi jhainsworth,

:-)

Bob
This topic is locked and no more replies can be posted.