XF 2.3 Unable to edit templates - console messages and modsecurity error

[TheLaw]

XF 2.3.x has added many security additions and wonder whether this issue is related. I'm simply trying to add a user group variable to a template. Should be accepted without issue, just one number and a comma. But I get an error saving.

Oops! We ran into some problems. Please try again later. More error details may be in the browser console.

I look in console:

lockdown-install.js:1 Removing unpermitted intrinsics
admin.php:1 Unchecked runtime.lastError: The message port closed before a response was received.Understand this errorAI
core-compiled.js?_v=4063ff0b:40


POST https://www.mysite.com/admin.php?templates/thread_view.7927/save 403 (Forbidden)
ajax @ core-compiled.js?_v=4063ff0b:40
(anonymous) @ form.min.js?_v=4063ff0b_mt=undefined:6
setTimeout
submit @ form.min.js?_v=4063ff0b_mt=undefined:6Understand this errorAI
core-compiled.js?_v=4063ff0b:44 Error: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
</body></html>

defaultAjaxError @ core-compiled.js?_v=4063ff0b:44
p @ core-compiled.js?_v=4063ff0b:38
ajax @ core-compiled.js?_v=4063ff0b:41
await in ajax
(anonymous) @ form.min.js?_v=4063ff0b_mt=undefined:6
setTimeout
submit @ form.min.js?_v=4063ff0b_mt=undefined:6Understand this errorAI

Hopefully I'm just missing something obvious but I can't think of it right now.

 

[Paul B]

It's the same issue as this: https://xenforo.com/community/threa...details-may-be-in-the-browser-console.191431/

 

[TheLaw]

Paul - thanks - but there is no error in the server error log, which is why I'm perplexed.

This may be a better cut and paste that shows more about the error. It shouldn't be a template error because the code edit shouldn't have been able to be placed there in the first instance for other user groups, which it does work.

Removing unpermitted intrinsics
admin.php:1 Unchecked runtime.lastError: The message port closed before a response was received.Understand this errorAI
/admin.php?templates/thread_view.7927/save:1


Failed to load resource: the server responded with a status of 403 (Forbidden)Understand this errorAI
core-compiled.js?_v=4063ff0b:44 Error: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
</body></html>

defaultAjaxError @ core-compiled.js?_v=4063ff0b:44Understand this errorAI
core-compiled.js?_v=4063ff0b:40


POST https://www.mysite.com/admin.php?templates/thread_view.7927/save 403 (Forbidden)
ajax @ core-compiled.js?_v=4063ff0b:40
(anonymous) @ form.min.js?_v=4063ff0b_mt=undefined:6
setTimeout
submit @ form.min.js?_v=4063ff0b_mt=undefined:6Understand this errorAI
core-compiled.js?_v=4063ff0b:44 Error: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
</body></html>

defaultAjaxError @ core-compiled.js?_v=4063ff0b:44
p @ core-compiled.js?_v=4063ff0b:38
ajax @ core-compiled.js?_v=4063ff0b:41
await in ajax
(anonymous) @ form.min.js?_v=4063ff0b_mt=undefined:6
setTimeout
submit @ form.min.js?_v=4063ff0b_mt=undefined:6Understand this errorAI
admin.php:1 Blocked aria-hidden on an element because its descendant retained focus. The focus must not be hidden from assistive technology users. Avoid using aria-hidden on a focused element or its ancestor. Consider using the inert attribute instead, which will also prevent focus. For more details, see the aria-hidden section of the WAI-ARIA specification at https://w3c.github.io/aria/#aria-hidden.

Uncaught (in promise) Error: A listener indicated an asynchronous response by returning true, but the message channel closed before a response was receivedUnderstand this errorAI
core-compiled.js?_v=4063ff0b:40


POST https://www.mysite.com/admin.php?templates/thread_view.7927/save 403 (Forbidden)
ajax @ core-compiled.js?_v=4063ff0b:40
(anonymous) @ form.min.js?_v=4063ff0b_mt=undefined:6
setTimeout
submit @ form.min.js?_v=4063ff0b_mt=undefined:6Understand this errorAI
core-compiled.js?_v=4063ff0b:44 Error: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
</body></html>

defaultAjaxError @ core-compiled.js?_v=4063ff0b:44
p @ core-compiled.js?_v=4063ff0b:38
ajax @ core-compiled.js?_v=4063ff0b:41
await in ajax
(anonymous) @ form.min.js?_v=4063ff0b_mt=undefined:6
setTimeout
submit @ form.min.js?_v=4063ff0b_mt=undefined:6Understand this errorAI

Element with focus: a
Ancestor with aria-hidden: <div class="overlay" tabindex="-1" data-url="null" role="alertdialog" aria-hidden="true">…</div>Understand this errorAI

 

[TheLaw]

I'm going to call in my go to help. Firefox is no insight either. No security errors are generated. Very odd.

PS - MY APOLOGIES - the Mod Security error is not related. It was in a different subdomain at a different time.

Removing unpermitted intrinsics lockdown-install.js:1:52832
INS: content-ads.js loaded: https://mysite.com/admin.php?templates/thread_view.7927/edit&style_id=8 content-scripts.js:1:108429
TSS: content-tss.js loaded: https://mysite.com/admin.php?templates/thread_view.7927/edit&style_id=8 content-scripts.js:1:118223
INS: content-blocked-items.js loaded: https://mysite.com/admin.php?templates/thread_view.7927/edit&style_id=8 content-scripts.js:1:138261
CONTENT_SHELL: Page allowed. Skipping shell injection blocks content-scripts.js:1:137923
GET TAB ID RESPONSE:

Object { tabId: 10 }
content-scripts.js:1:119759
Layout was forced before the page was fully loaded. If stylesheets are not yet loaded this may cause a flash of unstyled content. preamble.min.js:4:257
TSS: excluded result:

Object { excluded: true }
content-scripts.js:1:128944
TSS: Excluding content tss (trigger: send-mesage) content-scripts.js:1:120296

TypeError: a.default.detectStore(...) is undefined
h1-check.js:1:1301
This site appears to use a scroll-linked positioning effect. This may not work well with asynchronous panning; see https://firefox-source-docs.mozilla.org/performance/scroll-linked_effects.html for further details and to join the discussion on related tools and features! admin.php

Error: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access this resource.</p></body></html>

 

[TheLaw]

@Paul B - had a very strong feeling you were correct and I remembered needing to this in the past. Thanks.

Answer: Turn off mod_security for the domain. Trying to determine which rule is being offended was too much work, not enough template edits to go down the rabbit hole.

What Happened: I switched form cPanel to CWP, which is adequate but it has bugs and items that haven't been addressed properly. I've already reported several, during and post-migration. For some reason turning off rules globally for the server was not working either. (Second anomaly in CWP today.) Had to also disable mod_security separately per domain and that worked.

As to the lack of server log errors, I can't say. Some items seemed not to register. We aren't sure why. Not taking time to troubleshoot that. Paul - thanks againf or your reminder.