After upgrade to 2.2.8 problem "access denied" on save

Again, as I've tried to explain many times already, $_REQUEST['HTTP_MODAUTH'] == 0 is wrong (this should be the proper value) and that is the problem to be solved.

Jason, what for we need $_SERVER['HTTP_MODAUTH']? We can just send request header via AJAX. It`s not correct for security.

Quote from: opengeek at Sep 12, 2013, 02:00 PM

Again, as I've tried to explain many times already, $_REQUEST['HTTP_MODAUTH'] == 0 is wrong (this should be the proper value) and that is the problem to be solved.

I understand it, but for some reason $_SESSION['modx.mgr.user.token'] gets the value 0. And system "not understand" that session is expired, and we not unloged, and some time got Access denied error.

Quote from: Fi1osof at Sep 12, 2013, 12:50 PM

Quote from: pawelmil at Sep 12, 2013, 10:04 AM

Yes. It resolved document saving problem, but there is still problem with gallery image description.

So, you need insert $_SERVER['HTTP_MODAUTH'] = $modx->user->getUserToken($modx->context->get('key')); in image updating connector.

Thanks, adding this line into assets/components/gallery/connector.php solved the problem.

Quote from: pawelmil at Sep 12, 2013, 04:42 PM

Quote from: Fi1osof at Sep 12, 2013, 12:50 PM

Quote from: pawelmil at Sep 12, 2013, 10:04 AM

Yes. It resolved document saving problem, but there is still problem with gallery image description.

So, you need insert $_SERVER['HTTP_MODAUTH'] = $modx->user->getUserToken($modx->context->get('key')); in image updating connector.

Thanks, adding this line into assets/components/gallery/connector.php solved the problem.

where you entered the Instruction?

before those lines:
/* handle request */
$path = $modx->getOption('processorsPath',$modx->gallery->config,$galleryCorePath.'processors/');

Quote from: pawelmil at Sep 16, 2013, 07:50 AM

before those lines:
/* handle request */
$path = $modx->getOption('processorsPath',$modx->gallery->config,$galleryCorePath.'processors/');

You also may do this: in /core/model/modx/modconnectorresponse.php
replace $siteId = $this->modx->user->getUserToken($this->modx->context->get('key')); with
$_SERVER['HTTP_MODAUTH'] = $siteId = $this->modx->user->getUserToken($this->modx->context->get('key'));

It`s really not good, but not less good that insert this in many connectors.

Quote from: Fi1osof at Sep 16, 2013, 08:23 AM

You also may do this: in /core/model/modx/modconnectorresponse.php
replace $siteId = $this->modx->user->getUserToken($this->modx->context->get('key')); with
$_SERVER['HTTP_MODAUTH'] = $siteId = $this->modx->user->getUserToken($this->modx->context->get('key'));

It`s really not good, but not less good that insert this in many connectors.

This fix the problem also when uploading files? i.e. from Tinymce or from a tv.

Thanks

Quote from: tillilab at Sep 16, 2013, 10:17 AM

Quote from: Fi1osof at Sep 16, 2013, 08:23 AM

You also may do this: in /core/model/modx/modconnectorresponse.php
replace $siteId = $this->modx->user->getUserToken($this->modx->context->get('key')); with
$_SERVER['HTTP_MODAUTH'] = $siteId = $this->modx->user->getUserToken($this->modx->context->get('key'));

It`s really not good, but not less good that insert this in many connectors.

This fix the problem also when uploading files? i.e. from Tinymce or from a tv.

Thanks

From all, cause all connectors uses modConnectorResponse.

By doing this, you are basically disabling all security checks on your site. If the validation that is supposed to be checked to ensure you have a valid request is bypassed by setting it server side on every request, you are circumventing MODX security.

If someone cares to explore why the value being sent in the REQUEST is getting set to 0 in these environments, we can start to address the actual problem being experienced here.