Page 2 of 2

Re: [MEDIUM:UNDER REVIEW:1.0.11]User Login: "You are not authorized to view.."

Posted: Thu Oct 05, 2006 7:53 am
by skynet80
I kill in virtuemart defends from spoofing and can login to virtuemart.

Re: [MEDIUM:UNDER REVIEW:1.0.11]User Login: "You are not authorized to view.."

Posted: Thu Oct 05, 2006 9:08 am
by Devz
This problem exists within Joomla! 1.0.11 and thus needs fixing (for this version and versions beyond)
I dont believe users should have to add 3rd party components (virtuemart) in order to solve a base issue.

If that was the tact to solve problems, we wouldnt use a CMS but a mashed together bunch of somehow working together 3rd party components which most would know generally opens up more vulnerabilities than features.

Re: [MEDIUM:UNDER REVIEW:1.0.11]User Login: "You are not authorized to view.."

Posted: Thu Oct 05, 2006 9:16 am
by alikon
i'm sorry, pheraps, i've lost somthing in the previous  post, so

my question is
do yuo have the same problem  with a fresh joomla install without any other 3pd ?

Re: [MEDIUM:UNDER REVIEW:1.0.11]User Login: "You are not authorized to view.."

Posted: Thu Oct 05, 2006 9:34 am
by Robin
Update; there are currently 3 Dev's looking at the problem, so we are on it  ;) They might be onto something due to the extra info you provided Devz. Again thanks for that.

Re: [MEDIUM:UNDER REVIEW:1.0.11]User Login: "You are not authorized to view.."

Posted: Thu Oct 05, 2006 10:12 am
by Beat
I checked quickly into this problem and think i found a part of the problem (got hinted by the "reload" hint, thanks) :) :

It seems to be related to a php bug in setcookie(), which is not sent when there is a mosRedirect() called thereafter (and that's exactly the case when logging in :D ) :P :

http://www.php.net/manual/en/function.setcookie.php

See comments of 19-Aug-2006 and 17-Sep-2006:
If you try to call setcookie() before issuing a 302 via a header("Location:..."), the cookie will not be sent as part of the 302 response. To get the cookie in the header, use the header() function instead of setcookie(), i.e. header("Set-Cookie: cookiename=cookievalue; expires=18-Oct-2008 GMT; path=/; domain=.www.domain.com");

Note also that PHP setcookie() formats the date without dashes, which is accepted by major browsers, but is not in accordance with the Netscape cookie spec, which specifies the date with dashes.
The 17-Sep-2006 comment proposes a fix, which needs careful review...
Now, for a non-buggy setcookie that doesn't vanish on Location: redirects. In fact, I suggest you use this instead of the built-in setcookie() function. It also supports "HttpOnly". Usage is the same as the original setcookie() function:

Code: Select all

<?php

function set_cookie($name, $value = '', $expires = 0, $path = '', $domain = '', $secure = false, $http_only = false)
{
   header('Set-Cookie: ' . rawurlencode($name) . '=' . rawurlencode($value)
                         . (empty($expires) ? '' : '; expires=' . gmdate('D, d-[URL banned] H:i:s \\G\\M\\T', $expires))
                         . (empty($path)    ? '' : '; path=' . $path)
                         . (empty($domain)  ? '' : '; domain=' . $domain)
                         . (!$secure        ? '' : '; secure')
                         . (!$http_only    ? '' : '; HttpOnly'), false);
}

To make a "raw" version of this, get rid of the rawurlencode functions.
I'm also suspecting the use of "false" versus '' (you need to use '' with the alternate implementation above) as a $expires value for saying "valid during session", but the above bug description would be a plausible description of the problem.

Actually, the very best fix for this problem would probably be to avoid completely the redirect at login and logout. ;)

+ take a look at the other users comment in that php manpage: very helpful...

Don't have time today to implement and check fix, but thought to share this "heads-up" :)

+ that's more core DEV duties, than Q&T's ;)  :laugh:

Take care,

Re: [MEDIUM:UNDER REVIEW:1.0.11]User Login: "You are not authorized to view.."

Posted: Thu Oct 05, 2006 10:15 am
by Devz
RobInk: Thanks for the update, re: my extra info - quite welcome.

alikon: i cant answer ur question sorry, my install was a 1.0.10 upgraded to 1.0.11, and various 3rd party packages have been installed.

the fact it primarily appears to revolve around joomla.php (session_id stuff), mod_login, and browser weirdness, tends to rule out 3rd party addons. i may be corrected, tho i doubt it in this scenario.

Re: [MEDIUM:UNDER REVIEW:1.0.11]User Login: "You are not authorized to view.."

Posted: Thu Oct 05, 2006 10:25 am
by facedancer
Beat wrote:
I checked quickly into this problem and think i found a part of the problem (got hinted by the "reload" hint, thanks) :) :

It seems to be related to a php bug in setcookie(), which is not sent when there is a mosRedirect() called thereafter (and that's exactly the case when logging in :D ) :P :

http://www.php.net/manual/en/function.setcookie.php

See comments of 19-Aug-2006 and 17-Sep-2006:
If you try to call setcookie() before issuing a 302 via a header("Location:..."), the cookie will not be sent as part of the 302 response. To get the cookie in the header, use the header() function instead of setcookie(), i.e. header("Set-Cookie: cookiename=cookievalue; expires=18-Oct-2008 GMT; path=/; domain=.www.domain.com");

Note also that PHP setcookie() formats the date without dashes, which is accepted by major browsers, but is not in accordance with the Netscape cookie spec, which specifies the date with dashes.
The 17-Sep-2006 comment proposes a fix, which needs careful review...
Now, for a non-buggy setcookie that doesn't vanish on Location: redirects. In fact, I suggest you use this instead of the built-in setcookie() function. It also supports "HttpOnly". Usage is the same as the original setcookie() function:

Code: Select all

<?php

function set_cookie($name, $value = '', $expires = 0, $path = '', $domain = '', $secure = false, $http_only = false)
{
   header('Set-Cookie: ' . rawurlencode($name) . '=' . rawurlencode($value)
                         . (empty($expires) ? '' : '; expires=' . gmdate('D, d-[URL banned] H:i:s \\G\\M\\T', $expires))
                         . (empty($path)    ? '' : '; path=' . $path)
                         . (empty($domain)  ? '' : '; domain=' . $domain)
                         . (!$secure        ? '' : '; secure')
                         . (!$http_only    ? '' : '; HttpOnly'), false);
}

To make a "raw" version of this, get rid of the rawurlencode functions.
I'm also suspecting the use of "false" versus '' (you need to use '' with the alternate implementation above) as a $expires value for saying "valid during session", but the above bug description would be a plausible description of the problem.

Actually, the very best fix for this problem would probably be to avoid completely the redirect at login and logout. ;)

+ take a look at the other users comment in that php manpage: very helpful...

Don't have time today to implement and check fix, but thought to share this "heads-up" :)

+ that's more core DEV duties, than Q&T's ;)  :laugh:

Take care,
Beat, the problem is that I can't reproduce the problem on dozens of servers I was trying, if I could the fix would be trivial I guess...

Re: [MEDIUM:UNDER REVIEW:1.0.11]User Login: "You are not authorized to view.."

Posted: Thu Oct 05, 2006 12:09 pm
by Beat
facedancer wrote: Beat, the problem is that I can't reproduce the problem on dozens of servers I was trying, if I could the fix would be trivial I guess...
I guess the key to reproducing is to clean the cookies of the browser, close it and open it again, then type-in the home-page URL and immediately try to login.

Also I didn't check on PHP bug tracker which versions are affected by that bug.

As said no time to try to reproduce and fix next days.

But here a fix proposal for testing for those who have the problem:

1) add THIS (not the above and without the <?php used only to highlight code nicely in thread) function to includes/joomla.php :

Code: Select all

<?php
function jSetCookie($name, $value = '', $expires = 0, $path = '', $domain = '', $secure = false, $http_only = false)
{
    header('Set-Cookie: ' . rawurlencode($name) . '=' . rawurlencode($value)
     . ( ( $expires == false || $expires == 0 || empty($expires) ) ? '' : '; expires=' . gmdate('D, d-[URL banned] H:i:s \\G\\M\\T', $expires))
                         . (empty($path)    ? '' : '; path=' . $path)
                         . (empty($domain)  ? '' : '; domain=' . $domain)
                         . (!$secure        ? '' : '; secure')
                         . (!$http_only    ? '' : '; HttpOnly'), false);
}
then replace all "setcookie" by "jSetCookie" in joomla.php.

As said, didn't review or try that proposal so backup first and try at your own risk.

But given the priority, would be interesting to see if it fixes the problem for the ones having it...

Re: [MEDIUM:UNDER REVIEW:1.0.11]User Login: "You are not authorized to view.."

Posted: Tue Oct 10, 2006 5:14 am
by Devz
Appears to fix firefox
- FF new instance open directly to about:blank -> open joomla_site -> login works.
- FF new instance open directly to joomla_site -> login works (as it did previously)

Still broken in those above scenarios with IE however.

FireFox Version: 1.5.07
IE Version: 6.0

Re: [MEDIUM:UNDER REVIEW:1.0.11]User Login: "You are not authorized to view.."

Posted: Sun Oct 15, 2006 10:19 pm
by Devz
Browser Tests


Results from browser tests run on new install of Joolma! 1.0.11

new instance FF (1.5.07) - opening newjoomlasite.com - user attempts to login (requests to save passwd too), but displays "You are not authorized to view this resource." dialog box (guess thats better than a 403!)
new instance FF (1.5.07) - opening about:blank - user CAN login (requested to save passwd)
new instance IE6 - opening newjoomlasite.com - user CAN login
new instance IE6 - opening http://www.slashdot.org - opening newjoomlasite.com - user CANNOT login - F5(refresh) - user CAN login (when entering user details this time, im prompted to save the password (IE passwd manager) whereas the first time im not. (if this helps!)

Re: [MEDIUM:UNDER REVIEW:1.0.11]User Login: "You are not authorized to view.."

Posted: Fri Oct 20, 2006 2:21 pm
by JerkyPenguin
Is there any progress yet with this bug?  I haven't seen anything in a number of days..  :'(

Re: [MEDIUM:UNDER REVIEW:1.0.11]User Login: "You are not authorized to view.."

Posted: Fri Oct 20, 2006 4:04 pm
by retromodcoza
Yep - I have the same problem.......Joomla 1.011

For some reason it cured itself on only 1 of my sites by disabling the standard SEF urls but KEEPING the OPEN SEF urls on......

Thus I got standard links with variables for the components and sef urls for the content. Seemed to work without a glitch. But it did not work on all my sites....which must mean its playing up with different server details....

Cheers!

Re: [MEDIUM:UNDER REVIEW:1.0.11]User Login: "You are not authorized to view.."

Posted: Sat Oct 21, 2006 12:34 am
by retromodcoza
Ok - Heres my workaround...Dunno if it will work for you :

1. Install Community Builder
2. Configure it as per instructions and load the sample data
3.Redirect the logn page in the CB login module to http://yoursite.com and NOT http://www.yoursite.com.
4.Under the "remember me" box options , select "hide and checked"

That should work nicley until the Joomla team sorts it out!!

Cheers!

Re: [MEDIUM:UNDER REVIEW:1.0.11]User Login: "You are not authorized to view.."

Posted: Sat Oct 21, 2006 2:04 am
by Devz
Thread has now been open: 100 days
Since accurate diagnosis: 41 days

Is it still under medium review Q&T?
Any updates for the users facedancer/Beat/RobInk?

Re: [MEDIUM:UNDER REVIEW:1.0.11]User Login: "You are not authorized to view.."

Posted: Sat Oct 21, 2006 4:55 am
by Robin
Hi Devz,

The development group is still working on it, they got access to some servers from community members experiencing this problem and trying to determine the exact error and possible fix.

Besides this bug, they are also work to get as much artifacts fixed so 1.0.12 can be released. I hope you can wait a bit more  :) I don't have a set date yet for 1.0.12...

Re: [MEDIUM:UNDER REVIEW:1.0.11]User Login: "You are not authorized to view.."

Posted: Sat Oct 21, 2006 10:27 pm
by friesengeist
You might wanna read this: http://forum.joomla.org/index.php/topic ... .html&nbsp; :)

And thanks Devz, for you detailed analysis about the different browsers!

Re: [MEDIUM:UNDER REVIEW:1.0.11]User Login: "You are not authorized to view.."

Posted: Tue Oct 24, 2006 9:16 pm
by JBFCSIICF
Absolutely basic user here, no idea of how to change php files or more detailed configurations from all the other threads. Have had all of these login problems. When almost all of my users had trouble, I tried suggesting "Remember Me" and then I had to talk them all through setting it as a trusted site. AOL users still can't access it unless they use IE. The Trusted Site thing has seemed to work, I just have them uncheck "https" requirement.

Unfortunately, I have 10 other things on my plate (the life of a social work student) and although I would love to see this thing through, the pressure is forcing me to another CMS. It sucks to get hollered at for a non-working website. Does this problem seem close to a fix?

Devz did you work out the problem or are you setting up those 1200+ users the same way I'm setting up my 20.. LOL  :laugh:

p.s. I love everything else about joomla! You should have seen the boss when all the content was up and the login issues were not known!

Re: [MEDIUM:UNDER REVIEW:1.0.11]User Login: "You are not authorized to view.."

Posted: Tue Oct 24, 2006 11:28 pm
by RobS
It will be fixed in the next version of Joomla! which will be available as soon as possible.

Re: [MEDIUM:UNDER REVIEW:1.0.11]User Login: "You are not authorized to view.."

Posted: Thu Nov 02, 2006 4:55 pm
by rdachowski
All:

Thanks for your work on Joomla overall and for trying to track this down and kill it!  :)

I understand that you intend to release a firx for this as .12, but, if you have a fix that is known to work across browser versions and it is possible to simply replace some .phps until .12 is ready, could you post that?  I can wait for other fixes, but users not easily able to get in the front door is somewhat disconcerting for them.

Thanks!

Re: [MEDIUM:UNDER REVIEW:1.0.11]User Login: "You are not authorized to view.."

Posted: Thu Nov 02, 2006 5:05 pm
by friesengeist
rdachowski wrote: I understand that you intend to release a firx for this as .12, but, if you have a fix that is known to work across browser versions and it is possible to simply replace some .phps until .12 is ready, could you post that?  I can wait for other fixes, but users not easily able to get in the front door is somewhat disconcerting for them.
Have you read this? http://forum.joomla.org/index.php/topic,106665.0.html
(3 posts above yours ;))

Re: [MEDIUM:UNDER REVIEW:1.0.11]User Login: "You are not authorized to view.."

Posted: Thu Nov 02, 2006 6:44 pm
by rdachowski
Thanks Enno!  I missed the link you sent.  The approach appears to work for my site (at least for the limited testing that I've done). ;D    I have scanned the referenced topics but am left with the question, are there any gotchas (security or otherwise) with this approach?

Re: [MEDIUM:UNDER REVIEW:1.0.11]User Login: "You are not authorized to view.."

Posted: Thu Nov 02, 2006 10:42 pm
by friesengeist
rdachowski wrote: Thanks Enno!  I missed the link you sent.  The approach appears to work for my site (at least for the limited testing that I've done). ;D    I have scanned the referenced topics but am left with the question, are there any gotchas (security or otherwise) with this approach?
The only gotcha I know of is that it disables the message "You are not authorized to view..." completely. This message should tell something about cookies being disabled on your PC though. I'm still looking into this.

Re: [MEDIUM:UNDER REVIEW:1.0.11]User Login: "You are not authorized to view.."

Posted: Wed Nov 15, 2006 7:22 am
by Robin

Re: [MEDIUM:TRACKER 6766:1.0.11]User Login: "You are not authorized to view.."

Posted: Wed Nov 29, 2006 7:02 pm
by Robin
Q&T Note; fix confirmed for next release, topic will remain open for a double check by Q&T.


Edit; double check and fix confirmed, fixed for next release

Re: [MEDIUM:TRACKER 6766:1.0.11]User Login: "You are not authorized to view.."

Posted: Thu Jan 11, 2007 2:16 am
by Devz
Thanks to Enno Klasing for jumping ontop of this, and the numerous reports by moderators.

Glad it got resolved for 1.0.12..

Merging updated base code on highly customized code is alot of repeditive hard work.. maybe as a future idea,
joomla could have an updater script that 'probes' existing files, maybe does a hash gen on them, and compares them to the base hash checklist? That way you could be reported with a list of files that CAN be changed (without question), files that DIFFER from the base hash (requires custom mod), before confirming to do the (web based?) update, rather then the clunky FTP upload & smash files update.

After all, its all about being modular isnt it?

Thanks again for ratting out this prob.

Re: [MEDIUM:TRACKER 6766:1.0.11]User Login: "You are not authorized to view.."

Posted: Thu Jan 11, 2007 6:44 am
by RobS
Personally, I don't see the point in Joomla! re-inventing this technology.  It would be much easier to just put your site in a version control system which has those kinds of features built in.  Then you can modify it locally, synchronize your modified version with the changes made in the release and then reupload the new site. 

Just a thought.

Re: [MEDIUM:TRACKER 6766:1.0.11]User Login: "You are not authorized to view.."

Posted: Thu Jan 11, 2007 8:13 am
by Devz
My mistake, i saw Joomla as a content managment system, not a framework, which it appears to be represented?
System = completeness, Framework = bits from everywhere become to 'make' the product.

It was merely a misguided comment, totally out of place in terms of thread position.
Just wanted to add something more that a simple 'thankyou' message as for some reason i missed the solution to the dual login notification till just today.

Seems the client might get their few month old site now :)

Once again, thx to the dev's that fixed the prob for everyone still using Joomla.