Support

Admin Tools

#38001 auto-ban when editing articles from front-end with Joomla 4

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
4.2
PHP version
8.1
Admin Tools version
7.1.11

Latest post by nicholas on Thursday, 10 November 2022 01:26 CST

Monday, 07 November 2022 13:29 CST

woluweb

Hi,

I report this because I have the feeling that some Default setting of Admin Tools is too strict. Let me explain the context: on several on my new (independent) J4 websites put into production, Super Users editing the articles *from the front-end* are blocked... and I receive such a notification.

IP Address: 86.107.123.214 (IP Lookup: {IPLOOKUP}) Last Blocked Request Reason: IP auto-ban Blocked until: 2022-11-07 11:41:55

It is not at the first Save but at the 3rd.

The url of the page was like
/blabla/mode-demploi?view=form&layout=edit&a_id=35&return=aHR0_____

After the page was blocked in the front-end the url was becoming

/blabla/mode-demploi?a_id=35 (with the usual blocking explanation text).

What rule of "auto-ban" would cause front-end editing to be impossible (and should this particular case not be excluded from auto-ban :) )  ?

Txs,

Marc

PS: in the case I had today, it is not even a migrated site, it was a totally new/fresh J4 website (so this behaviour is not coming from some old configuration of Admin Tools for J3)

Tuesday, 08 November 2022 01:58 CST

nicholas

Hello Marc,

Please check the Blocked Requests Log. It will tell you the Reason the requests from this IP address were blocked and the Target URL. I need both to help.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Tuesday, 08 November 2022 11:21 CST

woluweb

Txs Nicholas for pointing me to "blocked request log". I am always a bit lost in Admin Tools bc of the many buttons and options :)

Here is the request which is blocked when editing from front-end (with native TinyMCE) :

2022-11-08 17:19:09 UTC    193.91.117.205 tmpl= in URL https://www.___.be/index.php?tmpl=jeditor&v=f0fcbeb59623d9e4891b9485d83c7008

Tuesday, 08 November 2022 23:57 CST

nicholas

Components, Admin Tools for Joomla, Web Application Firewall, Configure WAF, Cloaking. Find List of allowed tmpl= keywords and add jeditor to the list. Click on Save & Close.

For what it's worth, this has to be a third party plugin causing this request. There is no tmpl=jeditor used anywhere in Joomla 4. Some 3PD is doing something they know they shouldn't be doing and tries to muddy the waters by pretending it's Joomla core code?

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 09 November 2022 15:50 CST

woluweb

Okidoki, I have teste further.

Actually the url in the browser when editing was

https://www.__.be/administration/mode-demploi?view=form&layout=edit&a_id=35&return=aHR0cHM6Ly93d3cuYW50aXBvZGUuYmUvYWRtaW5pc3RyYXRpb24vbW9kZS1kZW1wbG9p

But in Admin Tools, the url which is blocked is

https://www.__.be/index.php?tmpl=jeditor&v=73b4cc75c6375e8f7d4017fbd06ba08b

Then I thought of the only thing that I use which is not native, namely "True WYSIWYG TinyMCE" by Dimitris Grammatikogianis (https://wysiwyg.dgrammatiko.dev/)

I guess that it makes a certain request of its own... and it is that request which would be blocked.

And indeed I double checked: in its script.php file I can read jeditor (see hereafter).

So mystery solved...

Txs again.

 

<?php defined('_JEXEC') || die('Restricted access');
use Joomla\CMS\Factory; use Joomla\CMS\Installer\Adapter\PluginAdapter; use Joomla\CMS\Installer\InstallerScript;
class plgSystemTtctinymceInstallerScript extends InstallerScript {   public function install(PluginAdapter $parent)   {     $parentInstance = $parent->getParent()->getInstance();     $paths = $parentInstance->get('paths');     if (is_file($paths['source'] . '/extras/jeditor.php')) {       if (is_dir(JPATH_ROOT . '/templates/cassiopeia')) {         copy(           $paths['source'] . '/extras/jeditor.php',           JPATH_ROOT . '/templates/cassiopeia/jeditor.php'         );       }       if (!is_dir(JPATH_ROOT . '/media/templates/site/cassiopeia')) {         mkdir(JPATH_ROOT . '/media/templates/site/cassiopeia/js', 0755, true);       }       if (is_dir(JPATH_ROOT . '/media/templates/site/cassiopeia')) {         copy(           $paths['source'] . '/extras/formats.json',           JPATH_ROOT . '/media/templates/site/cassiopeia/js/formats.json'         );         copy(           $paths['source'] . '/extras/style_formats.json',           JPATH_ROOT . '/media/templates/site/cassiopeia/js/style_formats.json'         );       }     }   }

 

Thursday, 10 November 2022 01:26 CST

nicholas

Dimitris should have known better. Of course, every time I have tried talking to him he threw his toys out of the pram so I've ultimately blocked him.

To all third party developers out there: DO NOT USE tmpl=something. EVER.

The tmpl query string parameter is meant to select which template file will be handling the output of the request. The valid options are index, component, error, system, and raw. You never specify index or error directly. The component option loads the output using the template's component.php file (or falls back to Joomla's templates/system/component.php file), therefore it can load some of the template's CSS (but not most of the site's chrome and definitely no modules). The raw and system options are the same, they don't use the template at all.

The tmpl query string parameter had been abused in Joomla 1.5 as an operation selector, e.g. using tmpl=unsupported to display an "unsupported browser" message to Internet Explorer 6. This was not necessary back then and is definitely not necessary now. You CAN use a custom query string parameter if you absolutely have to, though the recommended way to do AJAX requests is through com_ajax which has existed for well over a decade.

Unpopular but brutally honest opinion: Developers who have still not figured out com_ajax exists in Joomla should not be called developers; at best, they are scripters.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!