Support

Admin Tools

#18306 J3.2 front end module editing capability

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Tuesday, 26 November 2013 08:10 CST

Tuesday, 26 November 2013 00:15 CST

webcoast
Hi,
I noticed today that in Joomla 3.2, front end editing now has the ability to edit modules as well as articles. YAY!!
But, when I clicked on the edit icon in the corner of the module (even just a plain HTML one) I was taken to a new page which redirected to the homepage. (Different to if I click on the edit icon in an article, which opens the editor in the same window).

I searched for articles about this new functionality in J3.2 and found this:
http://joomla4web.com/226-front-end-module-editing-in-joomla-3-2

So it would appear that when you try to edit a module from the front end, you will be redirected to the module edit screen in the backend. However, if you are not currently logged into the backend (why would you be, you’re using the nice & simple front end), then you are redirected to the /administrator login page. Except, that if you have Akeeba Admin Tools set up with secret word you will get redirected to the home page because you are missing the secret word parameter. Hmmm. And this will create a security exception.

I am not using two factor authentication - either from Joomla core, or from Admin Tools. I just use secret word and administrator password protection (at this stage).

Is this a bug, or should we not be using secret word parameter any more?

Thanks for your help, I hope I have explained it properly.
Nicola

Tuesday, 26 November 2013 00:53 CST

nicholas
It's not a bug. In your post you described exactly what happens and why. It is by design. If we turn off the administrator secret URL parameter for unauthenticated users trying to access the module or menu editor we might just as well remove that feature, drop our pants and lube our anuses because hackers will start using that URL to circumvent the protection. It's like having the most expensive fortified door on your house and stick a not on it reading "THE KEYS ARE IN THE FAKE ROCK IN THE FLOWER POT NEXT TO THE DOOR". Yeah, sure, it helps the cleaning lady get in the house, but it's an invitation to burglars, don't you think?

Proper solution: You will have to remember to log in to your site's back-end before clicking a module or menu edit button in the front-end of your site.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 26 November 2013 01:51 CST

webcoast
Thanks for your reply Nicholas, and in the mean time I will include into my documentation for my clients, that if they want to use front end editing of modules & menu items they need to login to the backend first.

But is there not a way to make a better solution? It seems a shame to finally have this functionality in the front end, but still have to login to the backend first to be able to utilise it. While I am very familiar with the backend, the concept of modules/articles/menu all being separate doesn't seem to be as easy to understand for my clients and they much prefer the simplicity of the front end. Of course this backend layout has nothing to do with Akeeba, and your products are excellent.

No doubt you will tell me that you have already considered all options, and suggest that I am an idiot for even thinking that you had not considered it, but, at the risk of being berated..... could the secret word be prompted for from the front end between clicking on edit module, and then appended to the administrator login URL? Assuming that the person has already logged into the front end with administrator rights of course.

My sites are set up with 'allow user registration' set to off, which is fine for the types of sites that we build, but obviously not an option for a lot of other people's sites. So, if someone is logged in to the front of one of our sites they are already super-user authenticated as they have entered their userid & password. Can Admin Tools add an extra field there for the secret word, or is that leaving the key out for the cleaners again?

If I am missing something blindingly obvious I'm sure you will tell me!
Regards, Nicola

Tuesday, 26 November 2013 08:10 CST

nicholas
> could the secret word be prompted for from the front end between clicking on edit module, and then appended to the administrator login URL

No.

> So, if someone is logged in to the front of one of our sites they are already super-user authenticated as they have entered their userid & password.

The front-end and back-end of your site are actually different applications. The Joomla! CMS ships with three different, unrelated and isolated applications:
- The web installer, used to install Joomla! and then removed from your site
- The public front-end
- The administrator back-end
They are isolated application spaces. Logging in to one doesn't log you in to the other. This offers a huge security benefit as the public front-end is very limited and even if it's compromised it will lead to a simple defacement in the worst case scenario. If the back-end is compromised you are so screwed that the word "screwed" blatantly fails to express the very deep crap you have landed in.

> Can Admin Tools add an extra field there for the secret word, or is that leaving the key out for the cleaners again?

No. If you want to perform this kind of validation it's far better using Joomla! 3.2 and its two factor authentication. That's why I wrote that code and got it included in the Joomla! CMS. It allows you to have a publicly visible back-end login page but make it practically impossible for an attacker to log in without having your two factor authentication device (smartphone or YubiKey in the current version).

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!