Support

Admin Tools

#21600 WFA Exception for Custom URL

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by Councillor on Tuesday, 02 December 2014 08:36 CST

Monday, 01 December 2014 10:44 CST

Councillor
Before I upgraded to Admin Tools 3.1.1 a custom URL I used for parameter passing of an Ohanah (v2.3.15) event id to a Fabrik (v3.0.9) form worked, but since the upgrade it doesn't, so I'm suspecting a feature in Admin Tools is the cause and would like to know how I can set an exception for it.

I have read and tried variations of the WAF Exception settings for the components involved, which are com_content, com_ohanah, and com_fabrik. Setting exceptions with only these three components, and leaving the View and Query blank/(All) didn't work for me.

The  arrangement is, I have an Ohanah event where I'm using the custom url option to link to a Fabrik form and where the Ohanah event id parameter is passed in the url as follows:

http://www.mysite.org/index.php/request-form/?ohanah_event_id={EVENT_ID}

From the support advice I got from Ohanah this query is used to pass the event id value for any particular event in a list of events (mod_ohanahevents) the user may choose, to the form, so that it's value (e.g. event date) can be shown and stored with the form.

The links from the event list module to the form when clicked and working should be, for one example (id=27):

http://www.mysite.org/index.php/request-form/?ohanah_event_id=27

Hoping you can point me in the right direction. I can give Admin access if needed.
Edited by Councillor on 2014-12-01 10:46 CST

Monday, 01 December 2014 10:53 CST

tampe125
Hello Malcolm,

you can exclude Admin Tools by setting up a Query parameter exclusion.
Simply leave empty the component and view fields and put the value ohanah_event_id inside the Query field.
In this way Admin Tools won't block the request using such parameter.

As a final note, which security exception is raised when trying to use that custom url? Please remember that only a small subset of checks could be excluded using WAF Exceptions.

Davide Tampellini

Developer and Support Staff

🇮🇹Italian: native 🇬🇧English: good • 🕐 My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 01 December 2014 12:02 CST

Councillor
Hello Davide,

Thanks for the quick response. I tried with only one WAF Exception: nocomponent (all), noview (all), query (ohanah_event_id), unfortunately it didn't work.

The security exceptions raised are:
"Sorry, but you are not authorised to add this record" and
"You are not authorised to view this resource"

I experimented with permission settings and found this work around:
I found that when as superuser logged in, it worked.
Registered users didn't work, so I experimented.
If I added Author to the Registered group access it works (adds create and edit)

Malc

Tuesday, 02 December 2014 05:58 CST

tampe125
Admin Tools does not perform checks using Joomla ACL, but only using its own settings (IPs in first place). I suspect that the error comes from the other component.
Can you please disable Admin Tools System plugin and try again?
If you get the same output it means that the error is not caused by Admin Tools, but by another extension, most likely the one you are trying to interact with.

Davide Tampellini

Developer and Support Staff

🇮🇹Italian: native 🇬🇧English: good • 🕐 My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 02 December 2014 08:36 CST

Councillor
Hi Davide,

Disabled Admin Tools plugin and the problem persisted, so nothing at all to do with Admin Tools. Should have tried that before, duh!

You put me on the right track anyway. Turns out when fiddling with the Viewing Access Levels for Special, I didn't have the Registered group ticked. Obviously still on the learning curve of ACL :)

Thanks for helping me figure this out. All good now, and at least I'm more aware of what Admin Tools can do.

Malc

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!