[MEDIUM:TRACKER 6766:1.0.11]User Login: "You are not authorized to view.."

User avatar
skynet80
Joomla! Intern
Joomla! Intern
Posts: 54
Joined: Sat Oct 01, 2005 7:44 pm
Location: Tula,Russia
Contact:

Re: [MEDIUM:UNDER REVIEW:1.0.11]User Login: "You are not authorized to view.."

Post by skynet80 » Thu Oct 05, 2006 7:53 am

I kill in virtuemart defends from spoofing and can login to virtuemart.
http://myjoomla.ru :: Joomla Tutorials on Russian

Devz
Joomla! Apprentice
Joomla! Apprentice
Posts: 16
Joined: Thu Sep 28, 2006 7:28 am

Re: [MEDIUM:UNDER REVIEW:1.0.11]User Login: "You are not authorized to view.."

Post by Devz » Thu Oct 05, 2006 9:08 am

This problem exists within Joomla! 1.0.11 and thus needs fixing (for this version and versions beyond)
I dont believe users should have to add 3rd party components (virtuemart) in order to solve a base issue.

If that was the tact to solve problems, we wouldnt use a CMS but a mashed together bunch of somehow working together 3rd party components which most would know generally opens up more vulnerabilities than features.

User avatar
alikon
Joomla! Champion
Joomla! Champion
Posts: 5941
Joined: Fri Aug 19, 2005 10:46 am
Location: Roma
Contact:

Re: [MEDIUM:UNDER REVIEW:1.0.11]User Login: "You are not authorized to view.."

Post by alikon » Thu Oct 05, 2006 9:16 am

i'm sorry, pheraps, i've lost somthing in the previous  post, so

my question is
do yuo have the same problem  with a fresh joomla install without any other 3pd ?
Nicola Galgano
i know that i don't know
www.alikonweb.it

User avatar
Robin
Joomla! Master
Joomla! Master
Posts: 15753
Joined: Thu Aug 18, 2005 10:41 am

Re: [MEDIUM:UNDER REVIEW:1.0.11]User Login: "You are not authorized to view.."

Post by Robin » Thu Oct 05, 2006 9:34 am

Update; there are currently 3 Dev's looking at the problem, so we are on it  ;) They might be onto something due to the extra info you provided Devz. Again thanks for that.

User avatar
Beat
Joomla! Guru
Joomla! Guru
Posts: 840
Joined: Thu Aug 18, 2005 8:53 am
Location: Switzerland
Contact:

Re: [MEDIUM:UNDER REVIEW:1.0.11]User Login: "You are not authorized to view.."

Post by Beat » Thu Oct 05, 2006 10:12 am

I checked quickly into this problem and think i found a part of the problem (got hinted by the "reload" hint, thanks) :) :

It seems to be related to a php bug in setcookie(), which is not sent when there is a mosRedirect() called thereafter (and that's exactly the case when logging in :D ) :P :

http://www.php.net/manual/en/function.setcookie.php

See comments of 19-Aug-2006 and 17-Sep-2006:
If you try to call setcookie() before issuing a 302 via a header("Location:..."), the cookie will not be sent as part of the 302 response. To get the cookie in the header, use the header() function instead of setcookie(), i.e. header("Set-Cookie: cookiename=cookievalue; expires=18-Oct-2008 GMT; path=/; domain=.www.domain.com");

Note also that PHP setcookie() formats the date without dashes, which is accepted by major browsers, but is not in accordance with the Netscape cookie spec, which specifies the date with dashes.
The 17-Sep-2006 comment proposes a fix, which needs careful review...
Now, for a non-buggy setcookie that doesn't vanish on Location: redirects. In fact, I suggest you use this instead of the built-in setcookie() function. It also supports "HttpOnly". Usage is the same as the original setcookie() function:

Code: Select all

<?php

function set_cookie($name, $value = '', $expires = 0, $path = '', $domain = '', $secure = false, $http_only = false)
{
   header('Set-Cookie: ' . rawurlencode($name) . '=' . rawurlencode($value)
                         . (empty($expires) ? '' : '; expires=' . gmdate('D, d-[URL banned] H:i:s \\G\\M\\T', $expires))
                         . (empty($path)    ? '' : '; path=' . $path)
                         . (empty($domain)  ? '' : '; domain=' . $domain)
                         . (!$secure        ? '' : '; secure')
                         . (!$http_only    ? '' : '; HttpOnly'), false);
}

To make a "raw" version of this, get rid of the rawurlencode functions.
I'm also suspecting the use of "false" versus '' (you need to use '' with the alternate implementation above) as a $expires value for saying "valid during session", but the above bug description would be a plausible description of the problem.

Actually, the very best fix for this problem would probably be to avoid completely the redirect at login and logout. ;)

+ take a look at the other users comment in that php manpage: very helpful...

Don't have time today to implement and check fix, but thought to share this "heads-up" :)

+ that's more core DEV duties, than Q&T's ;)  :laugh:

Take care,
Beat 8)
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team

Devz
Joomla! Apprentice
Joomla! Apprentice
Posts: 16
Joined: Thu Sep 28, 2006 7:28 am

Re: [MEDIUM:UNDER REVIEW:1.0.11]User Login: "You are not authorized to view.."

Post by Devz » Thu Oct 05, 2006 10:15 am

RobInk: Thanks for the update, re: my extra info - quite welcome.

alikon: i cant answer ur question sorry, my install was a 1.0.10 upgraded to 1.0.11, and various 3rd party packages have been installed.

the fact it primarily appears to revolve around joomla.php (session_id stuff), mod_login, and browser weirdness, tends to rule out 3rd party addons. i may be corrected, tho i doubt it in this scenario.

User avatar
facedancer
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 172
Joined: Thu Aug 18, 2005 6:13 am
Location: Antibes, France
Contact:

Re: [MEDIUM:UNDER REVIEW:1.0.11]User Login: "You are not authorized to view.."

Post by facedancer » Thu Oct 05, 2006 10:25 am

Beat wrote:
I checked quickly into this problem and think i found a part of the problem (got hinted by the "reload" hint, thanks) :) :

It seems to be related to a php bug in setcookie(), which is not sent when there is a mosRedirect() called thereafter (and that's exactly the case when logging in :D ) :P :

http://www.php.net/manual/en/function.setcookie.php

See comments of 19-Aug-2006 and 17-Sep-2006:
If you try to call setcookie() before issuing a 302 via a header("Location:..."), the cookie will not be sent as part of the 302 response. To get the cookie in the header, use the header() function instead of setcookie(), i.e. header("Set-Cookie: cookiename=cookievalue; expires=18-Oct-2008 GMT; path=/; domain=.www.domain.com");

Note also that PHP setcookie() formats the date without dashes, which is accepted by major browsers, but is not in accordance with the Netscape cookie spec, which specifies the date with dashes.
The 17-Sep-2006 comment proposes a fix, which needs careful review...
Now, for a non-buggy setcookie that doesn't vanish on Location: redirects. In fact, I suggest you use this instead of the built-in setcookie() function. It also supports "HttpOnly". Usage is the same as the original setcookie() function:

Code: Select all

<?php

function set_cookie($name, $value = '', $expires = 0, $path = '', $domain = '', $secure = false, $http_only = false)
{
   header('Set-Cookie: ' . rawurlencode($name) . '=' . rawurlencode($value)
                         . (empty($expires) ? '' : '; expires=' . gmdate('D, d-[URL banned] H:i:s \\G\\M\\T', $expires))
                         . (empty($path)    ? '' : '; path=' . $path)
                         . (empty($domain)  ? '' : '; domain=' . $domain)
                         . (!$secure        ? '' : '; secure')
                         . (!$http_only    ? '' : '; HttpOnly'), false);
}

To make a "raw" version of this, get rid of the rawurlencode functions.
I'm also suspecting the use of "false" versus '' (you need to use '' with the alternate implementation above) as a $expires value for saying "valid during session", but the above bug description would be a plausible description of the problem.

Actually, the very best fix for this problem would probably be to avoid completely the redirect at login and logout. ;)

+ take a look at the other users comment in that php manpage: very helpful...

Don't have time today to implement and check fix, but thought to share this "heads-up" :)

+ that's more core DEV duties, than Q&T's ;)  :laugh:

Take care,
Beat, the problem is that I can't reproduce the problem on dozens of servers I was trying, if I could the fix would be trivial I guess...

User avatar
Beat
Joomla! Guru
Joomla! Guru
Posts: 840
Joined: Thu Aug 18, 2005 8:53 am
Location: Switzerland
Contact:

Re: [MEDIUM:UNDER REVIEW:1.0.11]User Login: "You are not authorized to view.."

Post by Beat » Thu Oct 05, 2006 12:09 pm

facedancer wrote: Beat, the problem is that I can't reproduce the problem on dozens of servers I was trying, if I could the fix would be trivial I guess...
I guess the key to reproducing is to clean the cookies of the browser, close it and open it again, then type-in the home-page URL and immediately try to login.

Also I didn't check on PHP bug tracker which versions are affected by that bug.

As said no time to try to reproduce and fix next days.

But here a fix proposal for testing for those who have the problem:

1) add THIS (not the above and without the <?php used only to highlight code nicely in thread) function to includes/joomla.php :

Code: Select all

<?php
function jSetCookie($name, $value = '', $expires = 0, $path = '', $domain = '', $secure = false, $http_only = false)
{
    header('Set-Cookie: ' . rawurlencode($name) . '=' . rawurlencode($value)
     . ( ( $expires == false || $expires == 0 || empty($expires) ) ? '' : '; expires=' . gmdate('D, d-[URL banned] H:i:s \\G\\M\\T', $expires))
                         . (empty($path)    ? '' : '; path=' . $path)
                         . (empty($domain)  ? '' : '; domain=' . $domain)
                         . (!$secure        ? '' : '; secure')
                         . (!$http_only    ? '' : '; HttpOnly'), false);
}
then replace all "setcookie" by "jSetCookie" in joomla.php.

As said, didn't review or try that proposal so backup first and try at your own risk.

But given the priority, would be interesting to see if it fixes the problem for the ones having it...
Beat 8)
www.joomlapolis.com <= Community Builder + CBSubs Joomla membership payment system - team
hosting.joomlapolis.com <= Joomla! Hosting, by the CB Team

Devz
Joomla! Apprentice
Joomla! Apprentice
Posts: 16
Joined: Thu Sep 28, 2006 7:28 am

Re: [MEDIUM:UNDER REVIEW:1.0.11]User Login: "You are not authorized to view.."

Post by Devz » Tue Oct 10, 2006 5:14 am

Appears to fix firefox
- FF new instance open directly to about:blank -> open joomla_site -> login works.
- FF new instance open directly to joomla_site -> login works (as it did previously)

Still broken in those above scenarios with IE however.

FireFox Version: 1.5.07
IE Version: 6.0
Last edited by Devz on Tue Oct 10, 2006 5:18 am, edited 1 time in total.

Devz
Joomla! Apprentice
Joomla! Apprentice
Posts: 16
Joined: Thu Sep 28, 2006 7:28 am

Re: [MEDIUM:UNDER REVIEW:1.0.11]User Login: "You are not authorized to view.."

Post by Devz » Sun Oct 15, 2006 10:19 pm

Browser Tests


Results from browser tests run on new install of Joolma! 1.0.11

new instance FF (1.5.07) - opening newjoomlasite.com - user attempts to login (requests to save passwd too), but displays "You are not authorized to view this resource." dialog box (guess thats better than a 403!)
new instance FF (1.5.07) - opening about:blank - user CAN login (requested to save passwd)
new instance IE6 - opening newjoomlasite.com - user CAN login
new instance IE6 - opening http://www.slashdot.org - opening newjoomlasite.com - user CANNOT login - F5(refresh) - user CAN login (when entering user details this time, im prompted to save the password (IE passwd manager) whereas the first time im not. (if this helps!)

JerkyPenguin
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Sun Oct 08, 2006 10:37 pm

Re: [MEDIUM:UNDER REVIEW:1.0.11]User Login: "You are not authorized to view.."

Post by JerkyPenguin » Fri Oct 20, 2006 2:21 pm

Is there any progress yet with this bug?  I haven't seen anything in a number of days..  :'(

retromodcoza
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Tue Oct 10, 2006 8:57 pm

Re: [MEDIUM:UNDER REVIEW:1.0.11]User Login: "You are not authorized to view.."

Post by retromodcoza » Fri Oct 20, 2006 4:04 pm

Yep - I have the same problem.......Joomla 1.011

For some reason it cured itself on only 1 of my sites by disabling the standard SEF urls but KEEPING the OPEN SEF urls on......

Thus I got standard links with variables for the components and sef urls for the content. Seemed to work without a glitch. But it did not work on all my sites....which must mean its playing up with different server details....

Cheers!

retromodcoza
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Tue Oct 10, 2006 8:57 pm

Re: [MEDIUM:UNDER REVIEW:1.0.11]User Login: "You are not authorized to view.."

Post by retromodcoza » Sat Oct 21, 2006 12:34 am

Ok - Heres my workaround...Dunno if it will work for you :

1. Install Community Builder
2. Configure it as per instructions and load the sample data
3.Redirect the logn page in the CB login module to http://yoursite.com and NOT http://www.yoursite.com.
4.Under the "remember me" box options , select "hide and checked"

That should work nicley until the Joomla team sorts it out!!

Cheers!

Devz
Joomla! Apprentice
Joomla! Apprentice
Posts: 16
Joined: Thu Sep 28, 2006 7:28 am

Re: [MEDIUM:UNDER REVIEW:1.0.11]User Login: "You are not authorized to view.."

Post by Devz » Sat Oct 21, 2006 2:04 am

Thread has now been open: 100 days
Since accurate diagnosis: 41 days

Is it still under medium review Q&T?
Any updates for the users facedancer/Beat/RobInk?

User avatar
Robin
Joomla! Master
Joomla! Master
Posts: 15753
Joined: Thu Aug 18, 2005 10:41 am

Re: [MEDIUM:UNDER REVIEW:1.0.11]User Login: "You are not authorized to view.."

Post by Robin » Sat Oct 21, 2006 4:55 am

Hi Devz,

The development group is still working on it, they got access to some servers from community members experiencing this problem and trying to determine the exact error and possible fix.

Besides this bug, they are also work to get as much artifacts fixed so 1.0.12 can be released. I hope you can wait a bit more  :) I don't have a set date yet for 1.0.12...

friesengeist
Joomla! Guru
Joomla! Guru
Posts: 842
Joined: Sat Sep 10, 2005 10:31 pm

Re: [MEDIUM:UNDER REVIEW:1.0.11]User Login: "You are not authorized to view.."

Post by friesengeist » Sat Oct 21, 2006 10:27 pm

You might wanna read this: http://forum.joomla.org/index.php/topic ... .html&nbsp; :)

And thanks Devz, for you detailed analysis about the different browsers!
We may not be able to control the wind, but we can always adjust our sails

JBFCSIICF
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Wed Jul 26, 2006 9:09 pm

Re: [MEDIUM:UNDER REVIEW:1.0.11]User Login: "You are not authorized to view.."

Post by JBFCSIICF » Tue Oct 24, 2006 9:16 pm

Absolutely basic user here, no idea of how to change php files or more detailed configurations from all the other threads. Have had all of these login problems. When almost all of my users had trouble, I tried suggesting "Remember Me" and then I had to talk them all through setting it as a trusted site. AOL users still can't access it unless they use IE. The Trusted Site thing has seemed to work, I just have them uncheck "https" requirement.

Unfortunately, I have 10 other things on my plate (the life of a social work student) and although I would love to see this thing through, the pressure is forcing me to another CMS. It sucks to get hollered at for a non-working website. Does this problem seem close to a fix?

Devz did you work out the problem or are you setting up those 1200+ users the same way I'm setting up my 20.. LOL  :laugh:

p.s. I love everything else about joomla! You should have seen the boss when all the content was up and the login issues were not known!

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1367
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: [MEDIUM:UNDER REVIEW:1.0.11]User Login: "You are not authorized to view.."

Post by RobS » Tue Oct 24, 2006 11:28 pm

It will be fixed in the next version of Joomla! which will be available as soon as possible.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

rdachowski
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Fri Sep 29, 2006 8:50 pm

Re: [MEDIUM:UNDER REVIEW:1.0.11]User Login: "You are not authorized to view.."

Post by rdachowski » Thu Nov 02, 2006 4:55 pm

All:

Thanks for your work on Joomla overall and for trying to track this down and kill it!  :)

I understand that you intend to release a firx for this as .12, but, if you have a fix that is known to work across browser versions and it is possible to simply replace some .phps until .12 is ready, could you post that?  I can wait for other fixes, but users not easily able to get in the front door is somewhat disconcerting for them.

Thanks!

friesengeist
Joomla! Guru
Joomla! Guru
Posts: 842
Joined: Sat Sep 10, 2005 10:31 pm

Re: [MEDIUM:UNDER REVIEW:1.0.11]User Login: "You are not authorized to view.."

Post by friesengeist » Thu Nov 02, 2006 5:05 pm

rdachowski wrote: I understand that you intend to release a firx for this as .12, but, if you have a fix that is known to work across browser versions and it is possible to simply replace some .phps until .12 is ready, could you post that?  I can wait for other fixes, but users not easily able to get in the front door is somewhat disconcerting for them.
Have you read this? http://forum.joomla.org/index.php/topic,106665.0.html
(3 posts above yours ;))
We may not be able to control the wind, but we can always adjust our sails

rdachowski
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Fri Sep 29, 2006 8:50 pm

Re: [MEDIUM:UNDER REVIEW:1.0.11]User Login: "You are not authorized to view.."

Post by rdachowski » Thu Nov 02, 2006 6:44 pm

Thanks Enno!  I missed the link you sent.  The approach appears to work for my site (at least for the limited testing that I've done). ;D    I have scanned the referenced topics but am left with the question, are there any gotchas (security or otherwise) with this approach?

friesengeist
Joomla! Guru
Joomla! Guru
Posts: 842
Joined: Sat Sep 10, 2005 10:31 pm

Re: [MEDIUM:UNDER REVIEW:1.0.11]User Login: "You are not authorized to view.."

Post by friesengeist » Thu Nov 02, 2006 10:42 pm

rdachowski wrote: Thanks Enno!  I missed the link you sent.  The approach appears to work for my site (at least for the limited testing that I've done). ;D    I have scanned the referenced topics but am left with the question, are there any gotchas (security or otherwise) with this approach?
The only gotcha I know of is that it disables the message "You are not authorized to view..." completely. This message should tell something about cookies being disabled on your PC though. I'm still looking into this.
We may not be able to control the wind, but we can always adjust our sails

User avatar
Robin
Joomla! Master
Joomla! Master
Posts: 15753
Joined: Thu Aug 18, 2005 10:41 am

Re: [MEDIUM:UNDER REVIEW:1.0.11]User Login: "You are not authorized to view.."

Post by Robin » Wed Nov 15, 2006 7:22 am


User avatar
Robin
Joomla! Master
Joomla! Master
Posts: 15753
Joined: Thu Aug 18, 2005 10:41 am

Re: [MEDIUM:TRACKER 6766:1.0.11]User Login: "You are not authorized to view.."

Post by Robin » Wed Nov 29, 2006 7:02 pm

Q&T Note; fix confirmed for next release, topic will remain open for a double check by Q&T.


Edit; double check and fix confirmed, fixed for next release
Last edited by Robin on Wed Nov 29, 2006 8:02 pm, edited 1 time in total.

Devz
Joomla! Apprentice
Joomla! Apprentice
Posts: 16
Joined: Thu Sep 28, 2006 7:28 am

Re: [MEDIUM:TRACKER 6766:1.0.11]User Login: "You are not authorized to view.."

Post by Devz » Thu Jan 11, 2007 2:16 am

Thanks to Enno Klasing for jumping ontop of this, and the numerous reports by moderators.

Glad it got resolved for 1.0.12..

Merging updated base code on highly customized code is alot of repeditive hard work.. maybe as a future idea,
joomla could have an updater script that 'probes' existing files, maybe does a hash gen on them, and compares them to the base hash checklist? That way you could be reported with a list of files that CAN be changed (without question), files that DIFFER from the base hash (requires custom mod), before confirming to do the (web based?) update, rather then the clunky FTP upload & smash files update.

After all, its all about being modular isnt it?

Thanks again for ratting out this prob.
Last edited by Devz on Thu Jan 11, 2007 2:23 am, edited 1 time in total.

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1367
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: [MEDIUM:TRACKER 6766:1.0.11]User Login: "You are not authorized to view.."

Post by RobS » Thu Jan 11, 2007 6:44 am

Personally, I don't see the point in Joomla! re-inventing this technology.  It would be much easier to just put your site in a version control system which has those kinds of features built in.  Then you can modify it locally, synchronize your modified version with the changes made in the release and then reupload the new site. 

Just a thought.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

Devz
Joomla! Apprentice
Joomla! Apprentice
Posts: 16
Joined: Thu Sep 28, 2006 7:28 am

Re: [MEDIUM:TRACKER 6766:1.0.11]User Login: "You are not authorized to view.."

Post by Devz » Thu Jan 11, 2007 8:13 am

My mistake, i saw Joomla as a content managment system, not a framework, which it appears to be represented?
System = completeness, Framework = bits from everywhere become to 'make' the product.

It was merely a misguided comment, totally out of place in terms of thread position.
Just wanted to add something more that a simple 'thankyou' message as for some reason i missed the solution to the dual login notification till just today.

Seems the client might get their few month old site now :)

Once again, thx to the dev's that fixed the prob for everyone still using Joomla.


Locked

Return to “Q&T 1.0.x Resolved - Archived”