Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#18577] - Make it easier to diagnose "You are not authorized to view this resource" errors

?
avatar Spudley
Spudley
15 Nov 2017

I recently had an issue where my site was reporting You are not authorized to view this resource when the user logged in.

It was really tricky to diagnose, because neither the site nor the back-end gave me any clues at all as to what resource it was that it was telling me I couldn't access.

There are a number of possible causes for this error. I'm aware that it is usually caused by access permissions, so I looked there first; scanning through all the articles, menus, modules, etc to find one with the wrong permissions. In the end, the cause was that the site owner had been playing in the plugins area, and had inadvertently disabled a user plugin associated with one of the main components on the site. Re-enabling the plugin solved the problem.

But it would have saved me a good couple of hours of digging if Joomla had just told me that in the first place, or at least given me a bit of a clue.

Is there any way we could implement something that catches generic errors like this and writes a log entry with more useful details of the problem? Or even just provide an event hook for error messages so that they can be picked up by a third party logging system like LogMan?

avatar Spudley Spudley - open - 15 Nov 2017
avatar joomla-cms-bot joomla-cms-bot - change - 15 Nov 2017
Labels Added: ?
avatar joomla-cms-bot joomla-cms-bot - labeled - 15 Nov 2017
avatar franz-wohlkoenig franz-wohlkoenig - change - 15 Nov 2017
Category Administration
avatar franz-wohlkoenig franz-wohlkoenig - change - 15 Nov 2017
Category Administration Administration com_users
avatar ggppdk
ggppdk - comment - 15 Nov 2017

Yes it is annoying

When the message JERROR_ALERTNOAUTHOR is thrown by an exception,

  • then enabling debug will tell you where it is occuring, so it is easier in the above case

but when, inside a plugin, the code is like this

$app->enqueueMessage(JText::_('JERROR_ALERTNOAUTHOR'), 'error');
$app->redirect(...);

or getting the error from the model ... inside a controller

$this->setMessage($model->getError(), 'error');
$this->setRedirect(...);
return;

then nothing tells you where exactly it occured, you can only estimate where

avatar franz-wohlkoenig franz-wohlkoenig - change - 15 Nov 2017
Status New Discussion
avatar tonypartridge
tonypartridge - comment - 15 Nov 2017

What about using sprintf and having a file location and line number output within it when in debug mode?

avatar Quy
Quy - comment - 16 Nov 2017

This PR #16814 could be related.

avatar ggppdk
ggppdk - comment - 16 Nov 2017

This PR #16814 could be related.

When we have an exception the by enabling debug we can already see where the exception is occuring

the problem is when some code "enqueues" and a no-access message, (see my examples above) and then it redirects, in such a case there is no easy way to find where the no-access thing has occured, especially when such code is inside a plugin

avatar brianteeman
brianteeman - comment - 4 Jan 2018

This sounds a really bad idea to me. Why? Well it might be useful when debugging a problem but it will also reveal what "security" is in place and specifically where. In addition it might be meaningful to a developer but its just useless garbage to a regular user.

avatar Spudley
Spudley - comment - 4 Jan 2018

@brianteeman - you mean the original idea is bad? I'm not looking to reveal anything to the end user or for anything to change for them. As you say, security messages are best left pretty generic. It is only the developer / site owner that needs this, so any additional info can be hidden behind debug mode, or something like that.

avatar brianteeman
brianteeman - comment - 4 Jan 2018

As long as its not revealed to the end user then thats fine

avatar brianteeman brianteeman - labeled - 25 Mar 2018
avatar jwaisner jwaisner - change - 11 Mar 2020
Status Discussion Information Required
avatar joomla-cms-bot joomla-cms-bot - unlabeled - 11 Mar 2020
avatar jwaisner
jwaisner - comment - 11 Mar 2020

@Spudley is this still happening in the latest J3?

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/18577.

avatar Spudley
Spudley - comment - 11 Mar 2020

@jwaisner I haven't encountered it recently, but I suspect I'd still have a similar problem given the same set of circumstances; I don't think anything has changed in this area.

avatar jwaisner jwaisner - change - 11 Mar 2020
Status Information Required Closed
Closed_Date 0000-00-00 00:00:00 2020-03-11 21:52:54
Closed_By jwaisner
avatar joomla-cms-bot joomla-cms-bot - change - 11 Mar 2020
Closed_By jwaisner joomla-cms-bot
avatar joomla-cms-bot joomla-cms-bot - close - 11 Mar 2020
avatar joomla-cms-bot
joomla-cms-bot - comment - 11 Mar 2020

Set to "closed" on behalf of @jwaisner by The JTracker Application at issues.joomla.org/joomla-cms/18577

avatar jwaisner
jwaisner - comment - 11 Mar 2020

Since this cannot be reconfirmed at this time we will close this issue. However if this does appear to be a bug in current versions, please open a new item.

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/18577.

Add a Comment

Login with GitHub to post a comment