XF 1.1 Somes users can't post

RobParker

Well-known member
Since moving server we're having a few users complain about not being able to post, with it stating that they don't have permission to access the page when they click submit.

Is it possible to rebuild the user permissions and does this sound like it might be the cause?

Cheers

Rob
 
That didn't seem to help.

They're seeing:

"The following error occurred"
"Forbidden"
"You don't have permission to access /index.php on this server"
"Apache server at mydomain.co.uk Port 80 "
 
It looks like something is tripping mod_security rules

We got this from our host:

Access denied with code 403 (phase 2). Pattern match "(?:(?:height|width) ?(?:=|\\:) ?[0-9] ?px|overflow ?: ?(?:auto|hidden)|style ?= ?"? ?display ?: ?none ?)" at ARGS:message_html. [file "/blah/apache2/conf/modsecurity.d/30_asl_antispam.conf"] [line "167"] [id "300076"] [rev "22"] [msg "Atomicorp.com UNSUPPORTED DELAYED Rules: Hidden Text Detected"] [data "width: 0px"] [severity "CRITICAL"] [hostname "domain.co.uk"] [uri "/index.php"] [unique_id "T5VpKUMWgKAABvlkxAYAAAAZ"]

Any idea what it might be? I'm guessing it might be the PostRatings addon...?
 
Ah it looks like it might be this:

.PanelScroller .navControls a.current span
{
display: block;
line-height: 0px;
width: 0px;
height: 0px;
border-top: 5px solid @primaryLighter;
border-right: 5px solid transparent;
border-bottom: 1px none black;
border-left: 5px solid transparent;
position: absolute;
}

What exactly is the width: 0px doing?
 
and this

.messageUserBlock .arrow
{
position: absolute;
top: 10px;
right: -10px;

display: block;
width: 0px;
height: 0px;
line-height: 0px;

border: 10px solid transparent;
border-left-color: @messageUserBlock.border-color;
border-right: none;

/* Hide from IE6 */
_display: none;
}
 
403 is a server error.

I have seen overly restrictive mod_security rules that flag the content of some posts. If that is the problem then you need to ask your host to relax the rules. If you can narrow it down to a specific word or phrase that is triggering the error then that will help your host.
 
Cheers Jake

Maybe I wasn't clear but it's the rule I posted above.

Access denied with code 403 (phase 2). Pattern match "(?:(?:height|width) ?(?:=|\\:) ?[0-9] ?px|overflow ?: ?(?:auto|hidden)|style ?= ?"? ?display ?: ?none ?)" at ARGS:message_html. [file "/blah/apache2/conf/modsecurity.d/30_asl_antispam.conf"] [line "167"] [id "300076"] [rev "22"] [msg "Atomicorp.com UNSUPPORTED DELAYED Rules: Hidden Text Detected"] [data "width: 0px"] [severity "CRITICAL"] [hostname "domain.co.uk"] [uri "/index.php"] [unique_id "T5VpKUMWgKAABvlkxAYAAAAZ"]

"Hidden text detected" and I think it's because some of the CSS has "width: 0px" but I can't find out exactly which bit.

One of the entries was caused by the message_user_info arrow which our style was hiding but that's still not fixed it.
 
You should still contact your host.

Does it happen with all posts? Try to narrow down the word or phrase that causes the error. Or just ask your host to disable mod_security.
 
I've been in touch with our host and they've disabled the above "hidden text" mod_security rule and the problem goes away. They turn it back on and it comes back so it's definitely just the above rule.

Our hosts are reluctant to permanently disable the rule (but will if we require it). I'd rather try to find a solution and work out which bit of our code is causing it. It looks like it's the "width:0px" bit of code which we have in a few places but the fact it doesn't happen for all users makes this much more difficult to track down.
 
With some host you cannot disable mod security via the htaccess file. Some require it to be done at server level (their end). So you might have no option but for them to do it for you, as doing it via XenForo htaccess may make no difference at all, with it still being active.

Just something worth pointing out.
 
Sorry maybe I'm not being clear. We don't want to disable mod_security (for the obvious security reasons).

Our hosts will disable the rule causing the problem but we'd much rather find the problem in our templates/CSS.
 
Top Bottom