have a site which is having these blocking errors appearing. The client is logging in to use EasyBlog and is getting hit with this. What setting (I looked and couldn't see what) do I need to adjust to stop this? Thanks.
#31401 Backend Edit Admin User & Frontend Edit Admin User blocking
Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket
Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.
Environment Information
Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a
Latest post by on Monday, 22 July 2019 17:17 CDT
Wednesday, 29 May 2019 13:06 CDT
trogladyte
Wednesday, 29 May 2019 21:16 CDT
dlb
Go to Web Application Firewall, Configure WAF, to the Hardening Options tab. The two settings that are causing you problems are "Disable editing backend users' properties" and "Disable creating / editing backend users from the frontend".
The intent of the first one is to keep users from changing their own settings - including escalating their privileges.
The second one is to stop privilege escalation from the front end.
Your blog extension is writing something back to the user account, which violates these two settings. You're going to have to disable both settings in order to use the blog extension.
The intent of the first one is to keep users from changing their own settings - including escalating their privileges.
The second one is to stop privilege escalation from the front end.
Your blog extension is writing something back to the user account, which violates these two settings. You're going to have to disable both settings in order to use the blog extension.
Dale L. Brackin
Support Specialist
English: nativePlease keep in mind my timezone and cultural differences when reading my replies. Thank you!
????
My time zone is EST (UTC -5) (click here to see my current time in Philadelphia, PA)
Thursday, 30 May 2019 12:24 CDT
trogladyte
Thanks for the reply Dale.
I have disabled both so we'll see how it goes. Interestingly, I use EasyBlog on multiple sites and this is the only time I've ever had this issue (though that could be due to both recently being updated). I had also, prior to writing, added com_easyblog to the WAF Exceptions list, but, unlike I expected, this did not bypass the blocking. Am I incorrect in expecting adding to this area makes Admin Tools ignore that particular extension?
I have disabled both so we'll see how it goes. Interestingly, I use EasyBlog on multiple sites and this is the only time I've ever had this issue (though that could be due to both recently being updated). I had also, prior to writing, added com_easyblog to the WAF Exceptions list, but, unlike I expected, this did not bypass the blocking. Am I incorrect in expecting adding to this area makes Admin Tools ignore that particular extension?
Thursday, 30 May 2019 12:38 CDT
dlb
I can tell that EasyBlog is trying to write something to the users table. I'm not familiar with EasyBlog, so I don't know what it's trying to write. It is possible that the other installations are configured differently and do not try to write to the users table. That would explain why only this one has the problem.
The WAF Exception was a good idea. In this particular case it didn't override the security settings on on the users table. Admin Tools ignored where the change was coming from and enforced the table protection.
The WAF Exception was a good idea. In this particular case it didn't override the security settings on on the users table. Admin Tools ignored where the change was coming from and enforced the table protection.
Dale L. Brackin
Support Specialist
English: nativePlease keep in mind my timezone and cultural differences when reading my replies. Thank you!
????
My time zone is EST (UTC -5) (click here to see my current time in Philadelphia, PA)
Thursday, 30 May 2019 12:42 CDT
trogladyte
OK thanks for the explanation. I'll write to StackIdeas (who publish EB) and see what they say. I suspect the write that's happening is that, when a new post (or edit too I guess) is done, EB assigns it's ownership to an Author. I bet it's this interaction that is triggering Admin Tools.
Cheers
Cheers
Thursday, 30 May 2019 12:48 CDT
dlb
You're welcome!
Dale L. Brackin
Support Specialist
English: nativePlease keep in mind my timezone and cultural differences when reading my replies. Thank you!
????
My time zone is EST (UTC -5) (click here to see my current time in Philadelphia, PA)
Monday, 22 July 2019 17:17 CDT
System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.