Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

File editing is broken in panel #1861

Closed
seehat opened this issue Jun 13, 2019 · 28 comments
Closed

File editing is broken in panel #1861

seehat opened this issue Jun 13, 2019 · 28 comments

Comments

@seehat
Copy link

@seehat seehat commented Jun 13, 2019

I get an "Unauthenticated" error when i open the file "last-tree-standing.jpg" in a fresh install of the starterkit on easyname.at hosting. I also get this error sometimes when navigating around in the panel. (similar to #1749 )

Steps to reproduce the behavior:

  1. Go to 'Photography/Trees/last-tree-standing.jpg'.
  2. Kicked back to homepage of panel with 'unauthenticated' error.

Kirby Versions
3.3.2

Console output

Bildschirmfoto 2019-06-13 um 10 41 01

Server:

  • Apache 2.4 with enabled mod_security, varnish, OPCache, open_basedir and default htaccess from starterkit
  • PHP 7.3

Desktop:

  • OS: macOS 10.14.6
  • Browser: Chrome Version 78.0.3904.87 (Offizieller Build) (64-Bit) with enabled Browser Cache

Safari 12.1 and Firefox 68.0 are working and Chrome is also working, when I disable the cache in devtools.

@bastianallgeier

This comment has been minimized.

Copy link
Contributor

@bastianallgeier bastianallgeier commented Jun 13, 2019

Are you sure you are trying this with a fresh install of 3.2.0-rc.2 with empty cache? This should already be fixed. You can also try to disable the cache in the chrome console and check if it still happens.

@seehat

This comment has been minimized.

Copy link
Author

@seehat seehat commented Jun 13, 2019

Yes. I removed the media/panel folder and all cache files on the server and also in the browser.

It works when I disable the cache in the chrome console.
But caching is normally enabled for visitors. Why does it work, when the browser cache is disabled?

@seehat

This comment has been minimized.

Copy link
Author

@seehat seehat commented Jun 28, 2019

Unfortunately the error also appears in 3.2.0.

@seehat

This comment has been minimized.

Copy link
Author

@seehat seehat commented Jul 12, 2019

The error appears in Chrome (Version 75.0.3770.100 (Offizieller Build) (64-Bit))

Safari 12.1 and Firefox 68.0 are working.

@afbora

This comment has been minimized.

Copy link
Contributor

@afbora afbora commented Jul 12, 2019

Ek Açıklama 2019-07-12 100814

@seehat I cant reproduce this issue with Kirby 3.2.2 on Chrome 75.0.3770.100 64 Bit / Windows 10 Pro.

Could you test on fresh Kirby v3.2.2 install please?

@seehat

This comment has been minimized.

Copy link
Author

@seehat seehat commented Jul 15, 2019

Yes, I tested it now on a fresh install of Kirby v3.2.2 and it doesn't solve the Problem. It only appears on easyname.at hosting with Chrome and with enabled browser cache. It works locally.

Following modules/cachings are enabled on the server:

  • varnish
  • mod_security
  • OPCache
  • open_basedir

I have also tried to disable all of this modules, but then it also doesn't work. And it works in Safari and Firefox with all these modules enabled.

Is there something i can test?

Seems to be similar to #1749.

@bastianallgeier bastianallgeier added this to the 3.3.0 milestone Oct 9, 2019
@bastianallgeier

This comment has been minimized.

Copy link
Contributor

@bastianallgeier bastianallgeier commented Oct 15, 2019

Hey @seehat! Sorry for the massive delay. Could you give it one more try with 3.2.5 before we move on with this?

@bastianallgeier bastianallgeier removed this from the 3.3.0 milestone Oct 15, 2019
@seehat

This comment has been minimized.

Copy link
Author

@seehat seehat commented Oct 15, 2019

Hey @bastianallgeier! No problem.

I tried it now with 3.2.5. Unfortunately it is still not working with the current version.

I've sent a mail on 13. August to kirby support with login credentials, that you can use for testing purposes.

@seehat

This comment has been minimized.

Copy link
Author

@seehat seehat commented Nov 7, 2019

Hey @bastianallgeier - Thx for the massive 3.3.0 update. Great work!

I've tried this with a fresh install of the current kirby starterkit. Unfortunately it doesn't work either.

Could you have a look into this?

@chaeringer

This comment has been minimized.

Copy link

@chaeringer chaeringer commented Dec 7, 2019

Hello @bastianallgeier,

first of all thanks a lot for the great work you are doing with your team!

I can confirm this issue:

Hosting
easyname.at (NO issues on localhost and with another hosting provider)

Kirby Versions
3.3.1

Chrome
Version 78.0.3904.108

Everything works as expected in Firefox, Safari and with open devtools in Chrome.

@distantnative

This comment has been minimized.

Copy link
Contributor

@distantnative distantnative commented Dec 15, 2019

So this really seems to be an issue of easyname.at :/

@seehat

This comment has been minimized.

Copy link
Author

@seehat seehat commented Dec 18, 2019

I asked easyname and they don't have an answer for it.

I updated to Kirby 3.3.2 in the meantime... not working either unfortunately.

There is also an error when i open the following url in the browser:

https://kirby.e5-klosterneuburg.at/api/pages/photography+animals/files/free-wheely.jpg?view=panel

error:

{"status":"error","message":"Unauthenticated","code":403,"exception":"Kirby\\Exception\\PermissionException","key":"error.permission","file":"\/kirby\/config\/api\/authentication.php","line":10,"details":[],"route":"(.*)\/files\/([a-zA-Z0-9\\.\\-_%= \\+\\@\\(\\)]+)"}

This is the same error which gets thrown in the panel, when accessing a fileview.

@afbora

This comment has been minimized.

Copy link
Contributor

@afbora afbora commented Dec 18, 2019

@seehat could you share the a test app on easyname? I can look out.

@seehat

This comment has been minimized.

Copy link
Author

@seehat seehat commented Dec 18, 2019

@afbora I sent them to you. Thx in advance. :)

@distantnative

This comment has been minimized.

Copy link
Contributor

@distantnative distantnative commented Dec 18, 2019

Pinging @lukasbestle as this seems to be routed in sessions and CSRF.

@afbora

This comment has been minimized.

Copy link
Contributor

@afbora afbora commented Dec 18, 2019

@distantnative yes, i checked out and this issue about session/cookie.
$_COOKIE global variable always empty on API side. ($_COOKIE['kirby_session'] should be return as filled on panel)
So can't get session data while fetching file and unauthenticated error thrown.
I tested with setcookie() in API methods and returns empty always too.
When i disable cache from browser as @seehat said, working perfect.
I wonder that cookies cachable?

@lukasbestle

This comment has been minimized.

Copy link
Contributor

@lukasbestle lukasbestle commented Dec 18, 2019

@afbora But it only affects that hosting provider, right? That's really strange – especially that it only occurs when the browser cache is enabled. That shouldn't change anything about the requests that do get sent, only that some requests no longer get sent as they are cached.

@seehat

This comment has been minimized.

Copy link
Author

@seehat seehat commented Dec 19, 2019

Yes it only effects easyname.at and currently there are following settings defined for this subdomain:

Bildschirmfoto 2019-12-19 um 08 16 16

But it also didn't work with caching set to 0 and disabled.

@seehat

This comment has been minimized.

Copy link
Author

@seehat seehat commented Dec 19, 2019

I sent a mail to the easyname support and they told me, that they are having problems with scripts requesting cookies and they don't know why currently. So I think it is no kirby issue.

Do you have a suggestion, what I could do to bypass this? - or should I wait for an update of easyname? - In this case please close this issue.

@lukasbestle

This comment has been minimized.

Copy link
Contributor

@lukasbestle lukasbestle commented Dec 19, 2019

I‘m afraid this needs to be fixed by easyname as there is no way for us to handle the session if the cookie is not provided to the script. I don‘t know of a general workaround.

@afbora

This comment has been minimized.

Copy link
Contributor

@afbora afbora commented Dec 19, 2019

@lukasbestle I'd like to share with you the data I've reached to give you ideas.

Normal request header in panel:

array(20) {
  ["X-Varnish"]=>
  string(8) "53150523"
  ["X-Cache"]=>
  string(4) "pass"
  ["Surrogate-Capability"]=>
  string(11) "key=ESI/1.0"
  ["Cookie"]=>
  string(154) "kirby_session=5e2ab93003572a7eb8f63ae81c5de022217e5d1c%2B1576767994.760da85783d7ec7e5eb1.cb12d95144c8a162054bbd4779437ecdadd315450c3e61a2ae2b895d679769b9;"
  ["Accept-Encoding"]=>
  string(4) "gzip"
  ["X-Forwarded-Port"]=>
  string(3) "443"
  ["X-Forwarded-Proto"]=>
  string(5) "https"
  ["X-Forwarded-For"]=>
  string(13) "XXX"
  ["Host"]=>
  string(26) "YYY"
  ["Accept-Language"]=>
  string(23) "tr,en-US;q=0.9,en;q=0.8"
  ["Referer"]=>
  string(64) "ZZZ"
  ["Sec-Fetch-Mode"]=>
  string(4) "cors"
  ["Sec-Fetch-Site"]=>
  string(11) "same-origin"
  ["Accept"]=>
  string(3) "*/*"
  ["Content-Type"]=>
  string(16) "application/json"
  ["User-Agent"]=>
  string(114) "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36"
  ["X-Csrf"]=>
  string(64) "70aa86a5ce1682136b32fdb6f519436ff7cc0279eb74f83795722d2c5f4355d9"
  ["X-Requested-With"]=>
  string(14) "xmlhttprequest"
  ["Dnt"]=>
  string(1) "1"
  ["Authorization"]=>
  string(0) ""
}

Accessing file request header in panel:

array(19) {
  ["X-Varnish"]=>
  string(8) "54558989"
  ["X-Cache"]=>
  string(4) "miss"
  ["Stored-Cookie"]=>
  string(154) "kirby_session=5e2ab93003572a7eb8f63ae81c5de022217e5d1c%2B1576767994.760da85783d7ec7e5eb1.cb12d95144c8a162054bbd4779437ecdadd315450c3e61a2ae2b895d679769b9;"
  ["Accept-Encoding"]=>
  string(4) "gzip"
  ["X-Forwarded-Port"]=>
  string(3) "443"
  ["X-Forwarded-Proto"]=>
  string(5) "https"
  ["X-Forwarded-For"]=>
  string(13) "XXX"
  ["Host"]=>
  string(26) "YYY"
  ["Accept-Language"]=>
  string(23) "tr,en-US;q=0.9,en;q=0.8"
  ["Referer"]=>
  string(99) "ZZZ"
  ["Sec-Fetch-Mode"]=>
  string(4) "cors"
  ["Sec-Fetch-Site"]=>
  string(11) "same-origin"
  ["Accept"]=>
  string(3) "*/*"
  ["Content-Type"]=>
  string(16) "application/json"
  ["User-Agent"]=>
  string(114) "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36"
  ["X-Csrf"]=>
  string(64) "70aa86a5ce1682136b32fdb6f519436ff7cc0279eb74f83795722d2c5f4355d9"
  ["X-Requested-With"]=>
  string(14) "xmlhttprequest"
  ["Dnt"]=>
  string(1) "1"
  ["Authorization"]=>
  string(0) ""
}

As you will see, there is Stored-Cookie data instead of Cookie data on second request as failed. So $_SERVER['HTTP_STORED_COOKIE'] var exists instead of HTTP_COOKIE and that is like that:

["HTTP_STORED_COOKIE"]=>
  string(154) "kirby_session=5e2ab93003572a7eb8f63ae81c5de022217e5d1c%2B1576767994.760da85783d7ec7e5eb1.cb12d95144c8a162054bbd4779437ecdadd315450c3e61a2ae2b895d679769b9;"
@lukasbestle

This comment has been minimized.

Copy link
Contributor

@lukasbestle lukasbestle commented Dec 19, 2019

That's interesting. I have never heard of a Stored-Cookie request header nor can I find any information on it online. In case anyone has a hint for me, that would be great!

@afbora

This comment has been minimized.

Copy link
Contributor

@afbora afbora commented Dec 20, 2019

I couldn't find a single resource about Stored-Cookie on the internet too.
Sorry @seehat but i think it has become clearer that this problem belongs to easyname.

@seehat

This comment has been minimized.

Copy link
Author

@seehat seehat commented Jan 6, 2020

I also think that its a problem belonging to easyname. I'm in contact with the support team. Maybe the find something. Thx for testing.

@seehat

This comment has been minimized.

Copy link
Author

@seehat seehat commented Jan 8, 2020

easyname has fixed this now . :)

@distantnative

This comment has been minimized.

Copy link
Contributor

@distantnative distantnative commented Jan 8, 2020

Yay!

@afbora

This comment has been minimized.

Copy link
Contributor

@afbora afbora commented Jan 8, 2020

@seehat Say hi! to easyname from us 👊 🤣

@seehat

This comment has been minimized.

Copy link
Author

@seehat seehat commented Jan 8, 2020

@seehat Say hi! to easyname from us 👊 🤣

I will. 😂

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
6 participants
You can’t perform that action at this time.