Blank Backend Page

[aussie123]

Thanks ShMaunder
That file change fixed my site and it's all back to normal.
Lance

[NorfolkBroad]

Thanks the helper.php fix worked for me too.

[ShMaunder]

Cool. Hopefully J! can turn out 2.5.5 asap as I think this should be higher than a priority 2 bug imho.

As the bug report says, it is caused by the following action "set the permissions for Public group to allow admin login.".

[gar5]

the fix worked for my page ---- but when I logged into the backend the user/manager page appeared with the following comment in RED:

Table 'data'.jos_user_notes' doesn't exist SQL=SELECT n.user_id, COUNT(n.id) As note_count FROM jos_user_notes AS n WHERE n.user_id IN (173,279,67,103,117,114,250,232,246,183,143,122,78,155,177,184,227,252,68,216) AND n.state >= 0 GROUP BY n.user_id

and as one might expect I cannot see the user list. Now What?

[NorfolkBroad]

Can you access the extension manager? You could try using the database fix in there maybe?

[ShMaunder]

Actually, this is not a great fix. I have a better fix that does not require changing any files and fixes the root cause of the problem.

1) Go to /administrator/?option=com_login
2) Enter a super user username and password
3) Go to Site->Global Configuration then click on the "Permissions" tab
4) Set the Public "Admin Login" to "Not Set"
5) Click Save & Close
6) Try to log out and see if the login form appears

This has happened due to either a dodgy default or user misconfiguration. You should check all permissions across all components to ensure they're correct.

I've now added this to my original fix post.

[leolam]

Why don't you all follow the link Shaun posted http://joomlacode.org/gf/project/joomla ... m_id=28354 download and apply the patch? That will solve your issue!

Leo

[ShMaunder]

Why don't you all follow the link Shaun posted http://joomlacode.org/gf/project/joomla ... m_id=28354 download and apply the patch? That will solve your issue!

Leo

The only problem with applying only the patch is that it is not fixing the root cause of the problem. The intended behaviour is actually correct in 2.5.4 as it does allow the public group (i.e. non-logged in) to access the backend when public "Admin Login" has been set. The patch actually breaks this functionality, though I'm not sure why anybody would have a logical reason to allow non-logged in users access to the backend so due to that reason, I agree that the patch should be in the trunk.

However, the reason I'm replying is I believe that most site admins are unaware of the value of this setting. As the public group is at the top of the tree by default, then you'll find that all child groups are inheriting from this public group and therefore, all registered users can log into the backend (including ones that have self registered from the frontend). The problem with logging into the backend is by default, you can list all users in com_users with their names, emails etc. as well as any components that probably have no ACLs. That is a security problem imho and is why I'm trying now to get users to change this setting instead of applying the patch (Method 1 vs Method 2 in my 'fix' post).

I only came to my senses on this issue yesterday, and is why I changed my post to include the 'Method 1' fix. I believe something more should be done within Joomla on this issue and the first thing should be done is disabling listing all users in com_users by default. Do you have any thoughts on this?

[gulamc]

I have the same problem after upgrading to 2.5.4, tried both methods but no luck. Also applied the patch.

Is there anything else that I can do? What is method C?

Gulam

[jasonmain13]

Thank you, I only had this issue with 2 of my sites, I had to restore a hosting backup to regain administrator access, then I ran the update and corrected the permissions before I logged out, as there were conflicts with permissions in ACL, My V2.5.4 administrator login problem is solved.

[ShMaunder]

@gulamc
Sounds like something else is wrong. Method C is this:
http://docs.joomla.org/Upgrading_from_a ... gram_Files

Also you may need to try and fix your database by using a previous /administrator directory. Webdongle's method can achieve that:
http://forum.joomla.org/viewtopic.php?f ... 9#p2783198

Of course though, check its not a module problem neither by trying to browse to /administrator/index.php?option=com_modules then checking the 'Administrator' modules are published etc.

[EdoRo]

Hello, I had the same issue, but going through the /administrator/?option=com_login# made the back-end accessible for me.
Should I access the website in this way and wait for the update to 2.5.5 ?

I made the changes from the Fix 1 by the @ShMaunder, but it didn't worked and still need to access it with this /?option=com_login#

[DavidStrayhorn]

I have been having the same issue. I can go through /administrator/?option=com_login to make the back-end accessible but am eager for a more definitive fix due to security concerns.

Recently, for security reasons, I created a new super administrator and deleted the original one (id 42), because I wanted the super administrator to have a different name and user id (rather than the default) -- I wonder whether this might be related? Anyone else with this issue futz around with the id of the super user?

[ShMaunder]

@EdoRo @DavidStrayhorn

OK, potentially method 1 isn't fully complete for all instances of Joomla. It works on some but maybe other settings are present that also need to be set. I will look into that.

For now do Method 2 which is basically applying the patch. After completing method 2, you should also test if standard 'Registered' users can log into the backend and list components (i.e. com_users) that they shouldn't.


Edit: <removed that>, nothing to do with anything...

[ShMaunder]

I just posted a useless question in that last post. @EdoRo can you tell me what your "Guest User Group" is set as inside com_users backend Options'?

[EdoRo]

@EdoRo @DavidStrayhorn

OK, potentially method 1 isn't fully complete for all instances of Joomla. It works on some but maybe other settings are present that also need to be set. I will look into that.

For now do Method 2 which is basically applying the patch. After completing method 2, you should also test if standard 'Registered' users can log into the backend and list components (i.e. com_users) that they shouldn't.


Edit: <removed that>, nothing to do with anything...

I GOT IT FIXED

I was checking PERMISSIONS in GLOBAL CONFIGURATIONS in the back-end and I saw some conflicts in "Calculated Setting 2", which didn't gave me any troubles until now ... I got them fixed (I made the setting in the parent NOT SET) and now everything is working as it should!

Thanks!

[DavidStrayhorn]

@EdoRo - what were the conflicts?

[DavidStrayhorn]

this bug makes me think of Hotel California - you can check out any time you like, but you can never leave ...
;-)

[EdoRo]

@EdoRo - what were the conflicts?

I'm a noob in Joomla... so forgive me. I miss-used the permission. I have only one category of permissions with two children, one for Registered users and one for Super users, so my parent had some contradicting setting with the (Superuser). I made the setting in the parent NOT SET. That fixed the setting in the child and also the blank login page problem.

[ShMaunder]

@DavidStrayhorn

I guess you have tried method 1 to fix? If you don't have any conflicts showing in your global configuration then thats good. I guess the next question is what your "Guest User Group" is as inside com_users backend Options' ?

And no it shouldn't be anything to do with deleting the admin user. Though I would have just disabled it rather then delete it.

[DavidStrayhorn]

Hi ShMaunder,

I have tried method 1 but the problem persists. The parent user group is "Public", is that what you mean by Guest User Group? I am pretty much a noob with joomla which is one reason I figured I would wait for a fix before uploading my site to my rochen account (right now it's just on my laptop). Also, I'm not sure

btw the site with the problem I recently updated from 1.7 to 2.5.4. Just now, I updated another site local to my laptop from 2.5.3 to 2.5.4 and did not experience the problem. As I compare the permissions settings between the working vs broken site, I see that on the working site, _every_ permission for the parent (Public) is "not set", and each permission setting on each of its children is either "inherited" or "allowed". I'm assuming this is the way it's supposed to be? ... On the broken site, otoh, all 10 permission settings for the "Public" user group are "allowed" except for "admin login" which I changed to "not set" according to method 1. Perhaps I should change them _all_ to not set?

[DavidStrayhorn]

So I changed them all to "not set" and that did indeed seem to fix the problem. So I suppose I did have a conflict in my global configuration permission settings, although I don't know when or why the conflict arose.

[ShMaunder]

LOL, by default, the Public permissions in Global Configuration are all set to "Not Set". This is the values it should be as you don't want to be giving out permissions to users (i.e. you are giving that to everyone including guests).

You will want to test your site as you may need to give (authorised and allowed) users the proper permissions they need depending on their group.

Do you know if somebody changed this accidentally or was it a default ?

[DavidStrayhorn]

It may have been set that way by default, but it's been about 6 months since I did any work on this site so I can't say for certain that I didn't change them for some reason (intending to change back before going online). In any case I know I need to review ACL core concepts!
David

[ShMaunder]

Cool. OK, I've modified the post again to ensure users have "Not Set" on the values in the Public drop down.

[EdoRo]

Cool. OK, I've modified the post again to ensure users have "Not Set" on the values in the Public drop down.

The fault could be any conflict in the Permissions tab regarding the Superusers?
I had only Public because I deleted the rest some time ago, Registered and Special. Maybe other users have conflicts in other areas.

[ShMaunder]

The fault could be any conflict in the Permissions tab regarding the Superusers?
I had only Public because I deleted the rest some time ago, Registered and Special. Maybe other users have conflicts in other areas.

I'm a little confused by your post.

So you have only Public and Super Users? Super Users is a child of Public I guess.

Most of the Super Users permissions are forced on (except Super Admin) regardless if they are set to denied or have a conflict. So if I denied some permissions in Public, even though it states there is a conflict with the super users permissions, the super users group is still allowed those permissions when you try it for real. However, this doesn't affect any other group further up the permission tree.

So as long as the Public permissions all have "Not Set", then this 'bug' is fixed because conflicts cannot propagate up the tree, only down. Have I overlooked something?

[EdoRo]

The fault could be any conflict in the Permissions tab regarding the Superusers?
I had only Public because I deleted the rest some time ago, Registered and Special. Maybe other users have conflicts in other areas.

I'm a little confused by your post.

So you have only Public and Super Users? Super Users is a child of Public I guess.

Most of the Super Users permissions are forced on (except Super Admin) regardless if they are set to denied or have a conflict. So if I denied some permissions in Public, even though it states there is a conflict with the super users permissions, the super users group is still allowed those permissions when you try it for real. However, this doesn't affect any other group further up the permission tree.

So as long as the Public permissions all have "Not Set", then this 'bug' is fixed because conflicts cannot propagate up the tree, only down. Have I overlooked something?

Exactly as you said. I had the Public (the only parent left in my Permissions tab) with some of the setting set to denied. And then in the child Super Users of course had the permissions allowed. There it was the conflict that made the error.
But I was wondering if this kind of conflicts cannot appear in other Parents which are there after instaltion by default, not my case since I deleted them.

For a first time joomla user this part (ACL) it was confusing even after reading the documentation and watching tutorials. I guess it could be done something to improve the concept.

[britnik]

Thanks ShMaunder the second method worked perfectly for me

[GetMyBrandOn]

Thanks Shaun! The helper.php fix worked.