-
Notifications
You must be signed in to change notification settings - Fork 611
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Not authorized to reorder structure entries #2772
Comments
Weird. Is it working on any other environments for you? Do you have any config settings in |
Sorry for my late reaction. I hoped that an update would solve the problem.. but no luck. The config settings are identical. I guess something to do with the database? (I was developing this website on a RC version) For example: as an admin I can create a new user, but i can't link a new user to a user-group. An error message appears "Only administrators are authorized"..? |
Any chance we can get access to the server? If so you can send credentials to support@craftcms.com. |
Thanks, mail has been sent. |
I referenced a similar error in #2958 (I searched like 5 or 6 different queries to find duplicates but didn't see any that matched my queries. Sorry.) |
I am experiencing the same error. Almost identical setup on staging, where we can re-order, but cannot reorder on production. |
I have the same issue, the stack trace is the same.
Application Info
|
@beeldr @Emkaytoo @askogrand @jasonandres Are your production environments load-balanced? Are you aware of whether each of the servers storing session data in the same place, regardless of web server? |
Yes, they are load balanced. They are storing session data in their respective projects memcached cloud servers. They do not share the same one. |
I think that’s your issue. Permission to modify structures is stored in the PHP session. So when this happens, it’s probably because the Ajax request to modify the structure is hitting a different web server than the one that initially authorized the action. If you’re going to use load-balanced web servers, you need to make sure that they share the same PHP session, by pointing them to the same Redis/Memcached server. |
Production and staging are different sites. Different memcaches. Their respective dynos all use the same memcache server. I apologize if my answer was confusing. |
@brandonkelly Our sites are running on a single instance, and we are not utilizing Redis/Memcached. |
If any of you can give us an admin account + FTP access to your server where this is happening, that would be super helpful. We’re not able to reproduce. |
@brandonkelly has anyone provided anything to you yet? Id give you access to our admin, but we are running on heroku, so no FTP. We do have a bugsnag accout, however. |
Not yet. Having access to the environment will be critical. Could be SSH instead if FTP isn’t an option. |
@jasonandres Any chance you can get your creds to Brandon? Ive tried with our environment, but Im afraid the heroku/load balancing is obfuscating the issue. @beeldr, maybe you can share creds as well? |
@brandonkelly We moved our staging environment from a single instance to load balanced instances running on Amazon ECS, with EFS for client assets and Aurora MySQL using the same Dockerfile for the build and now we don't have this issue, we can re-order entries just fine. Unfortunately we torn down the other staging environment so we no longer have access to that. |
Same issue today on Fortrabbit's Pro tier. Works locally. Anyone resolve this? It seems to be specific to the If I force-clear the cache in Chrome, reorder succeeds on the first try. All subsequent trie then fail with a 403. |
I get this error from a single docker container. No load balancer. I am using a bridge network driver for the docker-compose setup |
I'm having the same issue on on Fortrabbit Pro tier that @jasonschock is having. Reorder attempts results in a 403. |
FWIW, I solved my issue with this Craft plugin: https://github.com/fortrabbit/yii-memcached. FortRabbit Pro stack is multi-node. You need to use memcache for shared session storage; by default, you get PHP's file session store. |
Also having this problem right now, but; it happens in Chrome (OSX) only, and it's working in Firefox and other browsers. The difference with Chrome is that we have multiple (development) sites opened in tabs, with different domains. Maybe that has something to do with it. Craft CMS 3.1.25 Logs; |
We are affected by this issue on Craft 3.3.20.1. |
We have seen this happen as a result of the defaultCookieDomain config setting getting changed. In that case, clearing browser caches will solve it. |
Getting the same error on a multiple dyno setup in Heroku. Moving to a single dyno solves it. |
@emblematiq Connecting Craft to Redis is a matter of swapping out the |
Happened to me as well, indeed after changing the If this helps, this is what I discovered during my debugging: |
This has been plaguing us in multiple environments. We get the 403 error in production and in our lower environments. All are using Redis for both cache and session. Production has multiple heads, lower env's do not. Lower Env's share a Redis server in AWS Elasticache, production is separate. Have tried all of the following solutions, only 1 works but is not sustainable in production:
I have seen some mention of storing cache and session in separate databases (separating databases in Redis, according to the creator, is a bad idea). Is it possible to have a different Redis host for sessions and cache? Would this have any effect on the issue? UPDATE: I tried @VitaliiTsilnyk solution above and it works now. Is this now a PR for Craft? I do not know if previously clearing my cookies had anything to do with this. But I do know that my team's CP url is a subdomain of the main url for the site (e.g., cms.[domain].com). The lower envs are not using a different cookie domain to my knowledge. |
@JonGoldmanPlaybill you probably need to set https://craftcms.com/docs/3.x/config/config-settings.html#defaultcookiedomain to |
@angrybrad Unfortunately I tried setting to both A note that not only is this already using Redis with a unique prefix for sessions and cache, it also is not a multi-user head- the dev instance is a single instance, using a lower env Redis from AWS ElastiCache, and it's own RDS DB server. |
Please note that my idea is just an idea, not an actual solution. I was just playing around trying to fix the bug before finding this issue. I have no idea why |
@VitaliiTsilnyk Thank you for that. I'm less concerned in this case, because in order to even get to the CP login in the first place in our environment, you have to get past a load balancer that requires SSO Authentication. So there are two layers of authentication protecting that avenue in. I would also note that your idea is the only method that has worked, besides resorting to non-KeyStore-based session caching. |
There aren’t any permissions named We use session-based authorization here because the Structures service doesn’t know which specific permissions should be checked. So it just expects a prior controller to authorize it via the session. |
@brandonkelly Understood. Which explains why when I made that change it worked, because I am on an admin account. But I'm using the same account with the previous function call, which is what confuses me for the 403. I would understand if it was a perms issue, but with a full admin I shouldn't encounter 403s from Craft. |
@brandonkelly, also, as far as I can see, there is no controller in the way here, or any to give prior auth. This is not just any structure, but we are editing the order of categories, which we don't interfere with to my knowledge. |
Session-based authorization doesn’t care if you’re an admin, unlike user permissions. So that’s why switching it to a permission check fixed it for you, even though the permission doesn’t exist. Ultimately this is either a cookie issue or an environmental issue, where your environment is not persisting PHP session data across requests. |
@brandonkelly Actually it turned out that this was due to a data validation failure in the category. There was an illegal value that had been migrated in to a Category class and the Category Entries could not be saved. Once the data issue was corrected, then the adding of a prefix that differed between the session and cache in Redis seems to have solved the issue. |
Huh strange, but glad you got it sorted! |
@brandonkelly Just as a future FYI, the field was a "Color" field type and the illegal value was |
Description
Somehow I can't reorder structure entries on our staging server. In the red bar a message appears with an unknow error occured. Seems like a bug. I am logged in as a administrator/super user.
Stack trace
Additional info
The text was updated successfully, but these errors were encountered: