Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.
Latest post by nicholas on Monday, 25 March 2024 15:54 CDT
Immediately upon updating AdminTools, I found myself locked out of the admin area. I had to disable via FTP and unblock my account in the MySQL database. As soon as I reenabled AdminTools, I was immediately blocked out again.
Please tell me there's an update coming shortly. Thanks.
The fact that we are having this conversation on a site where Admin Tools is updated before releasing the update to the rest of the world, the fact that nobody else has reported anything similar, and the fact that the changes made cannot block you tell me that it's not a bug in the software. Something else is going on.
For starters, there is something you said that struck me as odd: " I had to disable via FTP and unblock my account in the MySQL database". This sounds like your user account was disabled, not your IP addressed blocked. There are two features which can do that. Neither has been touched in the last two and a half years. One of them is triggered by the number of failed logins, the other is time-based, meaning that both could be incidentally triggered after the update, without the update having anything to do with the trigger. Remember, correlation does not equal causation.
After gaining access to your site's backend go into the Configure WAF page, Hardening Options tab, find "Deactivate users on failed login", find "Number of failed logins" under it and set it to 0. If that solved your problem, the root cause is that you have too many failed logins on your user account which were triggering this feature. Clearly, you don't want this feature, so keep it disabled.
The other feature is time based and does have an exception, but maybe it was not set up correctly. Go into the Configure WAF page, Hardening Options tab, find "Prevent forgotten backend users from logging in" and set it to No. If this worked, you can set it back to Yes and also remember to add your Super User account(s) in the "Protected users" option below it.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
I updated two extensions. AdminTools and the Joomlashack Framework library 17 hours ago. I don't know how to update an extension that wasn't yet released, and I didn't think that the Joomlashack framework affects user records in any way.
So, yes, when I solve the problem using PHPMyAdmin to physically change the block field for my user record from 1 to 0 combined with disabling AdminTools using FTP, and then replicate it, it seems that all roads lead to AdminTools.
There is no record in AdminTools of my IP being blocked. This is a site that is under development. There are only three or four people viewing it typically. I have not had any failed logins in maybe weeks.
Upon review of my existing settings, "Number of Failed Logins" is and always was set to 0.
Also, "Prevent forgotten backend users from logging in" is and always was set to "No".
Trying this for a third time, I enabled debugging and got this message:
array_map(): Argument #2 ($array) must be of type array, string given .../plugins/system/admintools/src/Utility/BlockedRequestHandler.php:682
677 * @return bool
678 */
679 private function isSafeIP()
680 {
681 $safeIPs = $this->wafParams->getValue('neverblockips', '');
682 $safeIPs = array_map(function ($x) {
683 return is_array($x) ? $x[0] : $x;
684 }, $safeIPs);
685
686 if (!empty($safeIPs))
687 {
Hope this helps.
Thank you for your time.
This sounds like your user account was disabled, not your IP addressed blocked. There are two features which can do that. Neither has been touched in the last two and a half years. One of them is triggered by the number of failed logins, the other is time-based, meaning that both could be incidentally triggered after the update, without the update having anything to do with the trigger. Remember, correlation does not equal causation.
After gaining access to your site's backend go into the Configure WAF page, Hardening Options tab, find "Deactivate users on failed login", find "Number of failed logins" under it and set it to 0. If that solved your problem, the root cause is that you have too many failed logins on your user account which were triggering this feature. Clearly, you don't want this feature, so keep it disabled.
The other feature is time based and does have an exception, but maybe it was not set up correctly. Go into the Configure WAF page, Hardening Options tab, find "Prevent forgotten backend users from logging in" and set it to No. If this worked, you can set it back to Yes and also remember to add your Super User account(s) in the "Protected users" option below it.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
This sounds like your user account was disabled, not your IP addressed blocked.
Yes, that's correct. It was blocking me. Disabling the provider.php file alone did not restore my access. I needed to edit my record in the database. When I did both, I could log on.
After gaining access to your site's backend go into the Configure WAF page, Hardening Options tab, find "Deactivate users on failed login", find "Number of failed logins" under it and set it to
0. If that solved your problem, the root cause is that you have too many failed logins on your user account which were triggering this feature. Clearly, you don't want this feature, so keep it disabled.
As previously mentioned, this is -- and always was -- set to 0.
The other feature is time based and does have an exception, but maybe it was not set up correctly. Go into the Configure WAF page, Hardening Options tab, find "Prevent forgotten backend users from logging in" and set it to No. If this worked, you can set it back to Yes and also remember to add your Super User account(s) in the "Protected users" option below it.
As previously mentioned, this is -- and always was — set to "No".
Fortunately for me as the contracted developer, this is only affecting me as a Super Admin. My clients are not having issues logging in as Administrators.
Here is the thing. You are telling me that you are positive the user account is getting blocked (its block field is set to 1), and that it only happened after the last update. This made me look for features which a. block user accounts; b. are date based; and c. are not too obvious.
Since you already checked them, let's go to the other two features which can block a user account.
There is the Temporary Super Users feature. If your user account is marked as a temporary super user and you've reached its expiration date, Admin Tools will automatically set it to blocked. Go to Admin Tools, Temporary Super Users and make sure this is not the case. I had excluded this before because I both thought it's too obvious, and I assumed you are the site's only Super User. Based on your last reply, at least one of these assumptions is wrong.
The fourth and final feature which can possibly block a user account is "Monitor Super User accounts". Go to Configure WAF, Hardening Options, and disable "Monitor Super User accounts". If that works, you can re-enable it afterwards. When you disable, save, re-enable, and save again you reset this feature. I excluded this feature because it has not been changed since October 25th, 2021 and you told me you have a problem only since the last update. It is, however, possible that its file was previously missing for whatever reason and the update simply added it back, therefore you are now seeing a problem caused by a setting you had changed a long time ago.
That's it. There is absolutely nothing else in Admin Tools which can block a user account. Everything else blocks the request and (eventually) might block your IP address.
Which brings me to a final check. I know that you said the user account is disabled. But is it at all possible that your IP is blocked as well? Have you checked that? If not, please do.
Other things which can and will block your user account are, of course, core Joomla! features. If you are using Joomla's privacy component and you don't accept the ToS your account will be blocked. If you ask for a password reset your account becomes deactivated. Have you checked if those things, unrelated to Joomla!, happen?
Finally, the deprecation notice you mentioned is exactly that. It's not an error. It also goes away when you save the Admin Tools configuration.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
The fourth and final feature which can possibly block a user account is "Monitor Super User accounts". Go to Configure WAF, Hardening Options, and disable "Monitor Super User accounts". If that works, you can re-enable it afterwards.
That seems to have done the trick, at least for me. Previously, my client who is assigned Administrator status, saw the same error and couldn't log in. I'll see if this happens again.
Which brings me to a final check. I know that you said the user account is disabled. But is it at all possible that your IP is blocked as well? Have you checked that? If not, please do.
I checked twice. There's no record showing anything getting blocked for the past two months, and most of that is information brought over from the version 3 site. I never received an email notification either.
If you are using Joomla's privacy component and you don't accept the ToS your account will be blocked. If you ask for a password reset your account becomes deactivated. Have you checked if those things, unrelated to Joomla!, happen?
I've never interacted with the privacy component and I've never seen any related notification.
This last version has definitely not touched the Monitor Super User accounts feature. As I told you, last time we changed it - excluding the copyright date update in the comment at the top of the file - was October 2021. This is not me trying to remember, this is me looking at the Git log of the file implementing this feature.
What we do know is that if anything messes with the Super User accounts outside of Joomla's backend Users component, or the user groups privileges change, the list used internally by this Admin Tools feature is no longer in sync with the state of who is a Super User and accounts can and will get blocked. This is what this feature is supposed to do: if someone messes with the Super User designation, it protect your site by instituting a lock-out, therefore an attacker who tried to escalate their privileges will leave empty-handed.
When you disable this feature the internal list is removed. When you re-enable it, it's re-created. This is also intentional, so that you can reset the state of this feature if any changes made to your site were intentional e.g. someone became a Super User while the plugin was disabled, you had a CLI script create Super Users, or whatever else. This has been the case since April 2017, when this feature was added to Admin Tools (again, I am looking at the Git log which links to our GitHub issue tracker which has the notes of the original implementation; I am not trying to magically remember what happened 7 years ago, my memory is nowhere near that good).
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
I appreciate your in depth explanation on how Admin tools works, but unfortunately I still have no idea on how to resolve this issue. If I reenable the extension, my clients and I get locked out. If I keep it disabled, the site is less protected.
Can you suggest a course of action from here? This site is supposed to go live early next week.
Thanks.
I am a bit confused. You said that disabling the Monitor Super User Accounts solved the problem for you. Did it, or did it not...?
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Sorry, no it does not.
Disabling Monitor Super User Accounts does allow me to log in, but it still locks out my clients who have Administrator rights. However, unlike me, it does not disable their accounts. I still have to disable AdminTools to allow them access to the backend.
There is only one other level of user in this system. Their credentials only give them access to a front end form. I haven't tested their access yet.
The Monitor Super User Accounts feature only affects Super Users, as the name implies. It has nothing to do with Administrator or below.
Moreover, since their accounts are NOT blocked you can easily deduce that any of the features we discussed here – all being features which block a user's account – are NOT in play.
Your users are blocked by something else. Ask them for their IP addresses when they are blocked and check the Blocked Requests Log for entries with these IP addresses around the time they are blocked (remember, times may appear in the UTC timezone). This will tell you why their IP address is blocked. I could make a wild guess (administrator secret URL parameter), but I'd like you to check the log so we can be certain.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Looks like I'm going to chalk this one up to gremlins. I tested it this morning to see if it would block my test Administrator account, and it did not. Then I tested it to see if would block my Super User account, and again, it did not.
Thanks for your help and patience. The site is now live without any obvious issue.
Randy
You're welcome!
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.
Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!