After upgrade to 2.2.8 problem "access denied" on save

Quote from: BobRay at Jul 30, 2013, 09:58 PM

I have a number of Access Policies that are not on that list. Some I created myself, some were created by extras like Quip or NewsPublisher, some I'm not sure about. Can you give us the names of the new Policies and created during the upgrade?

Sorry I was not terribly clear there, Bob. In retrospect, given scenarios like freejung's, I'm not sure I'm understanding what the upgrade script is doing in some cases. I am fairly certain, though, that it's not creating any new Access Policies. Just Access Policy Templates.

Let me give you an example.

The Access Policy named "Context" is not on that list I included in step 1 of my previous post. So the upgrade script creates a new Access Policy Template named "ContextTemplate" (even though there may be one with that name already) .. a concatenation of the Access Policy's name and "Template". Let's say the id of that new Access Policy Template is 7. It then updates the "Context" Access Policy assigning it a `template` of 7. The fix is to assign `template` back to whatever id points to the "proper" Access Policy Template for that Access Policy. Part of the trick, and why I haven't figured out how to script it yet, is determining which one that should be. Following that, the Access Policy Template id 7 which was created during the upgrade can be removed.

This is what it seems to do for any Access Policies not in that list I gave.

I discerned the above from
a) looking at the code in setup/includes/upgrade.install.php
b) seeing the problem in action on some affected sites

I made a pull request to fix that much of the upgrade bug itself, though it does not clean up or fix sites already affected.
https://github.com/modxcms/revolution/pull/550

All that said, there are a couple of things that I can't account for which leads me to believe I haven't nailed the problem completely.

1) users like freejung seeing no erroneously created Access Policy Templates, but having Access Policies with a `template` of 0
2) some Access Policies like "Media Source User" not prompting the upgrade script to create a "Media Source UserTemplate" Access Policy Template

It's all very strange and starts to make my head hurt

Quote from: BobRay at Jul 30, 2013, 09:58 PM

Finally, can we create a list of the bogus Policy Templates that are being created? That would help fix things and also make sure that we don't delete important Policy Templates.

Since many users have custom Access Policies that may have spawned new Access Policy Templates, it's impossible to come up with a list. One extra hint I can give is that erroneously created Access Policy Templates will not only be named based on the name of the Access Policies plus "Template", they will have the same description as the Access Policy. So as I look at an example here, an Access Policy Template named "Media Source AdminTemplate" with a description of "Media Source administration policy." is a dead giveaway.

Hopefully this helps clear up some of the confusion.

Any further insight, especially regarding behavior that does not fit my above description, would be most helpful.

Thanks for all the detail!

I can confirm that Policies with an invalid template don't show up in the grid, but you'd think they would still generate a new Policy Template in the upgrade if their permissions didn't match one of the existing Policy Templates. I have a policy called 'Developer' with a 0 template value.

I did some poking around and looked at setup\includes\upgrade.install.php. This comment is kind of scary:

Since many users have custom Access Policies that may have spawned new Access Policy Templates, it's impossible to come up with a list. One extra hint I can give is that erroneously created Access Policy Templates will not only be named based on the name of the Access Policies plus "Template", they will have the same description as the Access Policy. So as I look at an example here, an Access Policy Template named "Media Source AdminTemplate" with a description of "Media Source administration policy." is a dead giveaway.

That's really helpful. I can see in the code where the description thing happens. I thought I'd found one at Bob's Guides: QuipModeratorPolicyTemplate, but I looked at GitHub and the original description for that Policy Template is 'A policy for moderating Quip comments' and its Policy Template is quite unique.

I *do* have the Context Policy Template, but it doesn't have the same description as the Context Policy. My guess is that it got a Policy Template in an earlier upgrade -- looking at the available permissions, I don't think it's bogus. There are differences between it and all the other templates in my install.

My head now hurts too.

Keep us posted.
[ed. note: BobRay last edited this post 10 years, 9 months ago.]

users like freejung seeing no erroneously created Access Policy Templates, but having Access Policies with a `template` of 0

Sorry, that's my fault, I wasn't completely clear on what you were saying - I actually do have a couple of templates like the ones you describe. I did also, for some reason, have the "Developer" policy with its template set to 0. I don't know if it was that way before the upgrade, though I don't see any reason why it would have been. The Developer policy should use the Administrator policy template.

Here are the policy templates I have:

• AdministratorTemplate
• ResourceTemplate
• ObjectTemplate
• ElementTemplate
• MediaSourceTemplate
• ContextTemplate
• QuipModeratorPolicyTemplate

I think the QuipModeratorPolicyTemplate needs to be there, right? It has permissions that are not found in other templates. Doesn't there need to be a permission (a row in the modx_access_permissions table) for each element of the JSON array of permissions in the modx_access_policies "data" field?

I removed the ContextTemplate and the MediaSource template, after reassigning the policies to the correct template.

I did't realize at first that 'false' permissions aren't stored in the Policy (doh).

I think these are correct:

MediaSourceAdmin Policy: Resource Policy Template
MediaSourceUser Policy: Load, List, and View Policy Template

Context Policy: ??

The Context Policy in my install has both 'copy' and 'view_unpublished' permissions -- The Administrator Policy doesn't have "copy" and the Resource Policy doesn't have view_unpublished. Since it doesn't have the description error, I'm inclined to think it's got its own Policy Template.

Both NewsPublisher and Quip have their own Policy Templates, which are not bogus.

If that's correct, it may be that the two Media Source Policies are the only victims here (not counting the 0 template ID on the Developer policy).


[ed. note: BobRay last edited this post 10 years, 9 months ago.]

Thanks Bob. After removing the ContextTemplate and MediaSourceTemplate, I still had a user report an "access denied" error on resource save. I'm not sure I have the Context policy sorted out properly though. I assigned it to the AdministratorTemplate but as Bob points out, that doesn't have "copy" so I'm not sure what to do with the Context policy.

Well, I lost myself somewhere in previuos posts...
One thing is not clear for me: how can I reproduce the system event that gives the "access denied" problem?
In my websites this error appears when it wants, both with standard and advanced installation,
so I'd like to do some more tests with a minor site, but I can't do efficient test if I can't isolate the moment when the error itself appears...

Quote from: tillilab at Aug 13, 2013, 09:44 AM

Well, I lost myself somewhere in previuos posts...
One thing is not clear for me: how can I reproduce the system event that gives the "access denied" problem?
In my websites this error appears when it wants, both with standard and advanced installation,
so I'd like to do some more tests with a minor site, but I can't do efficient test if I can't isolate the moment when the error itself appears...

That's a tough one. There are over 300 places in the MODX code where an "Access Denied" message is triggered. AFAIK, none of them fires a System Event.

I notice that there is debugging code in the modAccessibleObject class, so if you set the 'debug' System Setting to 1, you may see something useful in the Error Log.

Hi,

i have the same problems with 2.2.8-pl.
I was reading the forums and noticed this 'solved' post: http://forums.modx.com/thread/30920/solved-access-denied-saving-updating-resources-out-of-nowhere#dis-post-475613. Isn't this the same problem as we talk about in this topic?

Just a guess?

Quote from: tillilab at Jun 22, 2013, 04:22 PM

Hi, I have updated a big site to revo 2.2.8 and I have a strange problem...

I regularly login in the manager, I use it, modify some resources and so on,
after a few minutes I try to save and I get "Error - access denied"....

thanks

Hi!

Yes, this is stable problem on 2.2.8 exactly in Chrome. I`m still don`t know how to fix this (i`m use FireFox and have not this problem).

Have you tried turning off the compress_js and compress_css System Settings and clearing your browser cache and cookies?

I work on 2.2.8 in Chrome constantly and haven't seen this.