Error when clicking Leave a Rating

[GrnEyedDvl]

I don't think anyone has reported it this way yet though I did see a ton of posts about rating errors on Resources.

The problem is that if you have not downloaded the Resource, and you click Leave a Rating, it tells you Ooops! And to check your console for errors. This is misleading. It makes you think there is an actual error, when there is not. Or rather its a user error not a technical error.

If you download the Resource then the problem is fixed, because you can now Leave a Rating.

When you click Leave a Rating and you have NOT downloaded the file, it should tell you that you have not downloaded the file. Not give you an erroneous error.

 

[Jeremy P]

Can you reproduce this here? If you open the console (F12), do you see any errors?

 

[GrnEyedDvl]

No. Here it allows me to leave a rating even though I have not downloaded it. I did not actually leave a rating as I have no intention of downloading this but it does not give me the error and does bring up the window allowing me to type a rating.

This is a brand new install of XenForo 2.3.6 running as a test before I import 600,000 users and 15 million posts. No other plugins installed. Not even any real theme work yet. Its 2 days old.

Total War Center Test Site

TWC Test Site

xenforo.twcenter.net

That's a test bed, but I will setup an account for any XenForo staff member you want. That's on a self hosted machine running nginx and ISPConfig 3. If you want a phpinfo I can set that up.

EDIT: Allowing me to leave a rating without downloading it is almost just as bad, except it doesn't make you run around looking for errors. Maybe that should be an option:

Allow Ratings without Download?

 

[Ozzy47]

No. Here it allows me to leave a rating even though I have not downloaded it. I did not actually leave a rating as I have no intention of downloading this but it does not give me the error and does bring up the window allowing me to type a rating.

This is a brand new install of XenForo 2.3.6 running as a test before I import 600,000 users and 15 million posts. No other plugins installed. Not even any real theme work yet. Its 2 days old.

Total War Center Test Site

TWC Test Site

xenforo.twcenter.net

That's a test bed, but I will setup an account for any XenForo staff member you want. That's on a self hosted machine running nginx and ISPConfig 3. If you want a phpinfo I can set that up.

If you open the console (F12), do you see any errors?

 

[GrnEyedDvl]

On mine? Yes, but it makes no sense. Its a 403 forbidden to an unspecified file

            <h1>ERROR 403 - Forbidden!</h1>
        </div>
        <div id="content">
            <h2>The following error occurred:</h2>
            <p>You are not permitted to access the requested URL.</p>
            <P>Please contact the <!--WEBMASTER//-->webmaster<!--WEBMASTER//--> with any queries.</p>
        </div>

 

[Jeremy P]

That response is from your web server and not XF. It's likely intercepting the 403 response from XF. You can check the web server error logs to confirm, and adjust your web server configuration to fix it.

 

[GrnEyedDvl]

Ok I just discovered something... unusual.

ISPConfig has its own error docs beyond the default nginx error docs. So every site has a web directory that is setup as a vhost and inside that directory is a folder with error docs so each site can have custom 503 pages or whatever.

In the ISPConfig control panel, you can turn that feature on or off. If it's on then it pulls from the vhost web/error folder. If you turn it off it pulls from the nginx default files.

When I have that turned on, I get the Ooops! error. When I turn off the custom docs it tells me I have now downloaded the file yet.

So someplace in between me clicking the Leave a Rating button and XenForo telling me I have not downloaded it yet, ISPConfig is trapping that as an error, but instead of displaying the custom error page it's kicking back to Xenforo which tells me Ooops.

 

[GrnEyedDvl]

That response is from your web server and not XF. It's likely intercepting the 403 response from XF. You can check the web server error logs to confirm, and adjust your web server configuration to fix it.

Why would XenForo throw a 403? That is the problem. It should tell me I have to download it without calling it an error.

 

[GrnEyedDvl]

The error log is empty, as I expected. It never actually threw the custom error 403 page from ISPConfig so it wasnt logged.

root@thor:/var/log/ispconfig/httpd/xenforo.twcenter.net# ls -al
total 16
drwxr-xr-x  2 root root 4096 Apr  6 18:11 .
drwxr-xr-x 10 root root 4096 Apr  5 10:21 ..
-rw-r--r--  1 root root    0 Apr  6 00:00 access.log
-rw-r--r--  1 root root    0 Apr  6 18:11 error.log
-rw-r--r--  1 root root   30 Apr  6 18:11 error.log.1.gz
-rw-r--r--  1 root root   30 Apr  5 18:14 error.log.2.gz

 

[GrnEyedDvl]

Why would XenForo throw a 403? That is the problem. It should tell me I have to download it without calling it an error.

Or better yet, not even display the Leave a Rating button unless you have downloaded it. When logged out (Guest access) both the Download and Leave a Rating button are gone. This is how the Leave a Rating button should work.

 

[Jeremy P]

A 403 is the correct status code for a response to a request you don’t have permission to make, per the HTTP specification.

We set other error codes appropriately too, the web server should not intercept any of them. It’s a server specific configuration issue so I’m afraid I can’t offer much advice other than to ask your host or vendor.

 

[GrnEyedDvl]

A 403 is the correct status code for a response to a request you don’t have permission to make, per the HTTP specification.

We set other error codes appropriately too, the web server should not intercept any of them.

No, that is not how 403 is supposed to be handled. A 403 is something forbidden server side, not application side. Such as if you tried to browse a file in a restricted folder or execute a .php folder in a file with execution denied. This is not something nginx is forbidding because I configured something in the host file.

 

[Jeremy P]

I'm sorry, but I'm afraid that's not true. From XenForo's perspective, it is the server handling the request and wants complete control over the response. In case there may be some confusion, here's what the 403 response looks like in this exact situation on a properly configured web server:



The error you are seeing instructing you to check your console, and the resultant error response logged in the console, is due to the 403 response from XenForo being overwritten by other software.

 

[GrnEyedDvl]

it is the server handling the request and wants complete control over the response. In case there may be some confusion, here's what the 403 response looks like in this exact situation on a properly configured web server:

I already told you I could get it to say that, if I disabled custom error pages. Literally the only difference is the vhost file is that nginx recursive error pages are enabled. What is "improper" about that?

recursive_error_pages on;

This is the vhost file that causes the 403.

Spoiler

server {        listen *:80;        listen [::]:80;
        listen *:443 ssl http2;        ssl_protocols TLSv1.3 TLSv1.2;
        listen [::]:443 ssl http2;       
        ssl_certificate /var/www/clients/client1/web8/ssl/xenforo.twcenter.net-le.crt;       
        ssl_certificate_key /var/www/clients/client1/web8/ssl/xenforo.twcenter.net-le.key;
       
        server_name xenforo.twcenter.net ;
       
        root   /var/www/xenforo.twcenter.net/web/;                               
                        disable_symlinks if_not_owner from=$document_root;
       
       
        index index.html index.htm index.php index.cgi index.pl index.xhtml standard_index.html;
       
        error_page 400 /error/400.html;       
        error_page 401 /error/401.html;
        error_page 403 /error/403.html;       
        error_page 404 /error/404.html;       
        error_page 405 /error/405.html;
        error_page 500 /error/500.html;       
        error_page 502 /error/502.html;       
        error_page 503 /error/503.html;
        recursive_error_pages on;       
       
        location = /error/400.html {
            internal;           
            auth_basic off;
            }
           
        location = /error/401.html {           
       
            internal;
            auth_basic off;       
            }
           
        location = /error/403.html {
           
            internal;           
            auth_basic off;
            }

And this is the vhost that does not throw the error.

Spoiler

server {
        listen *:80;
        listen [::]:80;
        listen *:443 ssl http2;

        ssl_protocols TLSv1.3 TLSv1.2;
        listen [::]:443 ssl http2;
        ssl_certificate /var/www/clients/client1/web8/ssl/xenforo.twcenter.net-le.crt;
        ssl_certificate_key /var/www/clients/client1/web8/ssl/xenforo.twcenter.net-le.key;

        server_name xenforo.twcenter.net ;

        root   /var/www/xenforo.twcenter.net/web/;
                                disable_symlinks if_not_owner from=$document_root;


        index index.html index.htm index.php index.cgi index.pl index.xhtml standard_index.html;




        location ~ /\. {
                        deny all;
        }

        location ^~ /.well-known/acme-challenge/ {
                        access_log off;
                        log_not_found off;
                        auth_basic off;
                        root /usr/local/ispconfig/interface/acme/;
                        autoindex off;
                        index index.html;
                        try_files $uri $uri/ =404;
        }

        location = /favicon.ico {
            log_not_found off;
            access_log off;
            expires max;
            add_header Cache-Control "public, must-revalidate, proxy-revalidate";
        }

If you are telling me that this is improperly setup then you should point out where, because this works on every other site I have ever setup with every other software package I have ever set up. This is why its automated in ISPConfig, because it works. This is the nginx way of setting custom error docs.

If I go set this up on lighttpd I bet its the same issue.

 

[Jeremy P]

I apologize, I missed that among your successive messages. If you've made server configuration changes and you're getting that message now and not the one about checking the console, then everything seems to be working as you wanted and we intended:

When you click Leave a Rating and you have NOT downloaded the file, it should tell you that you have not downloaded the file. Not give you an erroneous error.

What is "improper" about that?

This feature intercepts error responses from applications (like XenForo) with their own. That's a fine feature and appropriate for some applications, but it's not compatible with XenForo.

 

[GrnEyedDvl]

I apologize, I missed that among your successive messages. If you've made server configuration changes and you're getting that message now and not the one about checking the console, then everything seems to be working as you wanted and we intended:

I posted new information as I got it, sorry if that looks spammy.

No, it doesn't work as intended as I cannot use custom error pages when there is a real error such as a php or mysql service problem. If mysql crashes I should be able to have a custom error page with specific info on it, not be forced to use a generic one.

Now sure since I own the server, and it only has my sites on it, I can make the default nginx error pages say whatever I want. But for someone on a shared hosting platform that is a problem. They are going to get whatever their host has for an error page which may or may not be relevant to their site. Any contact info on it will not be correct.

This feature intercepts error responses from applications (like XenForo) with their own. That's a fine feature in some setups but it's not compatible with XenForo.

It needs to be. Just like vBulletin is, and mediawiki is, and Wordpress is, and ...

 

[Jeremy P]

No, it doesn't work as intended as I cannot use custom error pages when there is a real error such as a php or mysql service problem. If mysql crashes I should be able to have a custom error page with specific info on it, not be forced to use a generic one.

You can configure web servers to do this for certain error codes (ie. 500) and not others (ie. 403), which I believe would behave as you desire. You can also customize the error pages XenForo returns using the template system, if you wanted.

Just like vBulletin is, and mediawiki is, and Wordpress is, and ...

vBulletin, MediaWiki, and WordPress all return 403 error codes where appropriate. For example, when trying to view a thread in vBulletin that you don't have permission to read. They also all return 404 for pages which don't exist. The alternative would be to return a 200 or other success response, which is a violation of the HTTP specification (and causes problems, such as for crawlers of Google and other search engines).

 

[GrnEyedDvl]

vBulletin, MediaWiki, and WordPress all return 403 error codes where appropriate. For example, when trying to view a thread in vBulletin that you don't have permission to read.

On this same server is vBulletin and it works just fine in this regard and tells you that you cannot view a forum/thread. It displays that message correctly. vBulletin has lots of other problems which is why we are switching, but this is not one of them.

XenForo does not display the correct message and gives the generic Ooops message instead of the correct message that you have not downloaded the file.

I do not think you can set recursive_error_pages on or off per page, but I will look. You can give a custom file location per page, but its either on or off globally.

 

[Jeremy P]

We don't do anything differently than vBulletin in that regard, so I can't account for the discrepancy.

In any case, I don't mean per-page, I mean per error code. It's a bit beyond the scope of support and something I'm not intimately familiar with, but it is possible: https://chatgpt.com/share/67f33825-e688-8005-9515-916efb068263

 

[Jeremy P]

To follow up, looking at the configuration you provided, you may try simply removing these lines (leaving the ones for 500 and 502):

        error_page 400 /error/400.html;     
        error_page 401 /error/401.html;
        error_page 403 /error/403.html;     
        error_page 404 /error/404.html;     
        error_page 405 /error/405.html;
        error_page 503 /error/503.html;