We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
MODX Community Forums Archive

After upgrade to 2.2.8 problem "access denied" on save

    • 36613
    • 328 Posts
    cristianb88 Reply #51, 10 years, 7 months ago
    In new version 2.2.8 have this problem, but 2.2.9 the problem is resolved ?
    • Fi1osof Reply #52, 10 years, 7 months ago
      New details... Extended resource-editor used BasicForm which not send headers (params only) (quick editor and most of enother elements used Ext.Ajax with headers). And in this case parametr $_SERVER['HTTP_MODAUTH'] - it`s very-very not usefull. A think both of $_SERVER['HTTP_MODAUTH'] and $_REQUEST['HTTP_MODAUTH'] - it`s not good. All of them gotted from request (params and headers) and not metter for security.
      Some request not send HTTP_MODAUTH params or headers (for examle connectors/layout/modx.config.js.php ). And in this connector $_SERVER['HTTP_MODAUTH'] sets from session:
      define('MODX_REQP',false);
require_once dirname(dirname(__FILE__)).'/index.php';
$_SERVER['HTTP_MODAUTH'] = $modx->user->getUserToken($modx->context->get('key'));
$modx->request->handleRequest(array('location' => 'system','action' => 'config.js'));


      So, why we use request headers modAuth? I think need to remove this.

      P.S. If we update connectors/resource/index.php like this, we will have not "Access denied": 
      <?php
require_once dirname(dirname(__FILE__)).'/index.php';

// Insert $_SERVER['HTTP_MODAUTH'] definition
$_SERVER['HTTP_MODAUTH'] = $modx->user->getUserToken($modx->context->get('key'));
$modx->request->handleRequest(array('location' => 'resource'));
        MODX Revolution expert
        Follow ME on Twitter | Feel free ask any question on MODX-club
        • 3749
        • 24,544 Posts
        BobRay Reply #53, 10 years, 7 months ago
        All this information really needs to go to http://bugs.modx.com so it will be more likely to be acted on.
          Did I help you? Buy me a beer
          Get my Book: MODX:The Official Guide
          MODX info for everyone: http://bobsguides.com/modx.html
          My MODX Extras
          Bob's Guides is now hosted at A2 MODX Hosting
        • Fi1osof Reply #54, 10 years, 7 months ago
          Quote from: BobRay at Sep 04, 2013, 02:48 AM
          All this information really needs to go to http://bugs.modx.com so it will be more likely to be acted on.
          It`s too hard for me (with my "english"))) ).
          I told about this to Jason. And needs not just a bugfix, but global refactoring (with $_SERVER['HTTP_MODAUTH'] excluding from all core).

          I was create issue and if Jason will allow me to do this, i can do.
            MODX Revolution expert
            Follow ME on Twitter | Feel free ask any question on MODX-club
            • 3749
            • 24,544 Posts
            BobRay Reply #55, 10 years, 7 months ago
            Sounds good. Thanks for your work. smiley
              Did I help you? Buy me a beer
              Get my Book: MODX:The Official Guide
              MODX info for everyone: http://bobsguides.com/modx.html
              My MODX Extras
              Bob's Guides is now hosted at A2 MODX Hosting
            • Fi1osof Reply #56, 10 years, 7 months ago
              Quote from: BobRay at Sep 04, 2013, 03:34 AM
              Sounds good. Thanks for your work. smiley
              You are welcome! smiley
                MODX Revolution expert
                Follow ME on Twitter | Feel free ask any question on MODX-club
              • tillilab Reply #57, 10 years, 7 months ago
                Quote from: Fi1osof at Sep 03, 2013, 07:59 PM

                P.S. If we update connectors/resource/index.php like this, we will have not "Access denied": 
                <!--?php
require_once dirname(dirname(__FILE__)).'/index.php';

// Insert $_SERVER['HTTP_MODAUTH'] definition
$_SERVER['HTTP_MODAUTH'] = $modx--->user->getUserToken($modx->context->get('key'));
$modx->request->handleRequest(array('location' => 'resource'));

                You mean that with modification user will save with no problem?
                Do you think we can apply in a live site?

                By the way thank you all for your support!

                  TilliLab | MODX Ambassador
                  website
                • Fi1osof Reply #58, 10 years, 7 months ago
                  Quote from: tillilab at Sep 08, 2013, 01:53 PM
                  Quote from: Fi1osof at Sep 03, 2013, 07:59 PM

                  Do you think we can apply in a live site?

                  Yes, i think so.

                  Welcome!
                    MODX Revolution expert
                    Follow ME on Twitter | Feel free ask any question on MODX-club
                  • tillilab Reply #59, 10 years, 7 months ago
                    Ok, tested F1losof solution in a couple of websites, it works!
                    Thank you very much again!
                      TilliLab | MODX Ambassador
                      website
                    • Fi1osof Reply #60, 10 years, 7 months ago
                      Quote from: tillilab at Sep 11, 2013, 08:46 AM
                      Ok, tested F1losof solution in a couple of websites, it works!
                      Thank you very much again!
                      You are welcome! smiley
                        MODX Revolution expert
                        Follow ME on Twitter | Feel free ask any question on MODX-club