Revolution 2.4.1-pl setup error: Class 'modAccessibleObject' not found

Thanks for all the digging.

MODX is very finicky about Manager passwords, but probably not database passwords. Just out of curiosity, see if you can create a new user from inside the Manager with the second password above. I suspect that you'll get an error message.

The fact that those classes are loading for everyone else raises the question of what's different about your situation. Most people use pretty vanilla Manager passwords, so that could definitely be it. The question is how that could influence the class loading.

I'm pulling most of this out of my butt, but the $modx object is probably instantiated pretty early in Setup and that could lead to permission checks. That suggests that setup logs you in (or at least sets $modx->user) in code after creating the user. If the unaccepted password prevents the user from being created, $modx->user would be null. Maybe the autoloader has a permission check in it for security, but doesn't throw a fatal error when the security check fails.

> MODX is very finicky about Manager passwords, but probably not
> database passwords. Just out of curiosity, see if you can create
> a new user from inside the Manager with the second password above.
> I suspect that you'll get an error message.

Suprisingly, no. The new user created without so much as a failed reload. The only error I got was for trying to get away with not specifying an e-mail address.


As for the $modx object and security in general, unfortunately - to my knowledge - you can't hide a variable based on security, and most importantly - even if you somehow did (e.g. by erasing the variable on error), it would be unavailable to the rest of the code. PHP doesn't support security-based scoping and variable visibility (AFAIK, no language does). As for not creating the user object in the first place, the error was a simple "failed to connect to the database @ 'IP' (using password: yes)". I made extra sure to specify the port each time, because the host uses a different SQL server port for obscurity reasons. On a side note, I don't see why anybody would bother to change the format from address:port to address;port=port in the Setup script, when the standard format (addr:port) is used in the XML.

Also, as far as populating the ->user property, during Setup I don't see how any security checks could fail - the security system is not in place yet, because there's nothing to secure. And as far as I've seen, the class loader doesn't do any security checks at all. All the loader does is organize and load the various chunks of code required for the thing to function properly - any failure of security at this stage would imply an error in the code, seeing as you can't verify security w/o all of the verification code in place...

And, regardless of how it actually works, not throwing a fatal error during SETUP (ie. installation, not use, of software) due to failed security checks would be bad design on multiple levels. Not only does it do nothing to further security (whose security, at this point?), it prevents the issue from being properly understood and debugged. The SETUP might as well finish with a "Success!" for all the good it would do.


For a short time, I thought that my problematic passwords cause a variable overflow somewhere in the code (which is hard to do with PHP, but possible), or - more likely - cause some of the parsed code to go out-of-scope with relation to the rest of the environ, but that doesn't seem to be the case. It merits digging around, though -- the moment you start preloading your code as strings and managing them as such, it's then up to you (the coder/designer) to prevent buffer overflows and memory overwrites, as it would otherwise fall to the executing parser thread. But from what I've seen, that's not exactly the case here. Like I said, it merits digging around.

Any plugins installed? They can crash setup. Sorry I can't be much help now -- pinched nerve in my shoulder -- can only type with one hand.

I honestly do not know - are there any plugins installed within the vanilla download from the site?

I may have failed to mention this, but I was doing a completely fresh Setup, from the .zip file I got from modx/download, on a virgin host (no files except .htaccess, no database tables in the database). I was doing a new installation, not an upgrade. I apologize if I failed to clarify that.

The Evo installation I talked about is hosted on a completely different machine, under a completely different domain (on a completely separate hosting service, to boot).


On a side note: Sir, I admire Your dedication! In those circumstances I'd be laying down, not typing up responses on a web forum. Please take it easy - this is by no means critical now as I've managed to complete Setup. I'm now working on migrating the site (already bought Your GoRevo plugin/solution), and I'm running into issues with things like YAMS and such - but nothing strictly related to the Setup at this point.

I honestly do not know - are there any plugins installed within the vanilla download from the site?

No.

I apologize for writing in the old topic, but I myself got such a mistake.

Fatal error: Class 'modAccessibleObject' not found in ...\core\model\modx\modnamespace.class.php on line 17

The problem was in a SQL-password like "\abcde" or "abc\de" (without quotes).

Although this is very strange. I have been using this password for several years and during this time I installed MODX dozens of times and never had problems.

And today I can not bypass this mistake. I tried to install MODX Revo 2.5.0, 2.5.1, 2.5.5. I changed the version of MySQL from 5.5 to 5.7. I changed PHP versions from 5.5 to 7.0. Installed MODX on the hosting and local computer. Nothing helps.

I noticed that on my old sites the password "\abcde" turned into "\\abcde" in /core/config/config.inc.php on line 8

I did not waste any more time on this problem. Just changed my password.

But I noticed that in the file /setup/controllers/database.php on lines 34, 60-68 there is a check for the use of forbidden characters. But the warning does not appear.