403 forbidden error after update from 3.7.19.1 to 3.7.27.1 and 404 error

[JordanMed]

Description

When trying to use the view button on an entry that isn't enabled I receive a 403 forbidden error. When trying to use the preview button on an entry that isn't enabled I receive a 404 error. This is happening for any users even admins. Drafts are also giving 403 errors to non admin accounts.

Steps to reproduce

1. Create an entry
2. Add content and don't enable the page
3. Click view button
4. Receive 403 Forbidden You don't have permission to access this resource.

Steps to reproduce

1. Create an entry
2. Add content and don't enable the page
3. Click preview button
4. Receive 404 error

Steps to reproduce

1. open existing entry
2. create a draft
3. click preview or view button
4. Receive the above errors.

Additional info

• Craft version: 3.7.27.1
• PHP version: 7.4.16
• Database driver & version: MySQL 5.7.32
• Plugins & versions:

[brandonkelly]

I wasn’t able to reproduce the 403 issue, but did find a similar bug that could be the root cause of your 403s. Just fixed that for the next release.

Can you try updating to see if it actually resolves your issue? To do that, change your craftcms/cms requirement in composer.json to "dev-develop as 3.7.28" and run composer update.

[JordanMed]

I'm still receiving the error in all instances after updating to 3.7.28

This is what my URL looks like rather than the normal shorter version

http://localhost/index.php?p=admin/actions/preview/create-token&elementType=craft\elements\Entry&sourceId=511305&siteId=1&previewToken=n9fzqqlvSRMeR7s0CWm8SlaVgAoBCT9w&redirect=http%3A%2F%2Flocalhost%2Fen%2Fnew-provider-claims-portal%3Fx-craft-preview%3DLV8OUneJ9L%26token%3Dn9fzqqlvSRMeR7s0CWm8SlaVgAoBCT9w

[brandonkelly]

That’s expected. It should take you to the preview/create-token action, which is supposed to create the preview token, and redirect you to the actual preview URL. (The Edit Entry page should also update its preview URL(s) after one of them is clicked, so you are only sent to preview/create-token on the first click.)

Try clearing out your storage/logs/ folder, recreate the 403 error, and then search storage/logs/web.log for [error]. Then please post the full error log, including its stack trace.

[JordanMed]

I reverted my craft version to 3.7.19.1 and went up one version until I found the problem/problems I'm running into.

3.7.21 ->

first error starts. Disabled pages can’t preview, or view receive 404 error.

Steps to reproduce Create new page, add content, preview or view, receive 404. Only works once the page is enabled.

3.7.22 -> fixed previous error

3.7.25 -> 403 error starts on viewing pages and 404 on live previews

Steps to reproduce Create a new page, add content, live preview and see 404, click view to get a 403.

Steps to reproduce Create a draft of a live page, live preview (works but with some neo sections broken ), click view to get a 403

[brandonkelly]

Yeah I’m not able to reproduce either of those. If you send me your stack trace (see previous comment) that might offer some clues.

[brandonkelly]

Nevermind! We figured it out from the files you sent into support. All fixed for the next release (59c8d3f7a7b5dd4e084a63817f565629fb607cf7). It was a multi-site bug that only occurred when there were multiple sites but only one enabled site.

[JordanMed]

Ok I am running a multi site project where i have french and english for every page. Can I try this with "dev-develop as 3.7.28" or will it be another version.

[brandonkelly]

@JordanMed Yeah, dev-develop as 3.7.28 + composer update. (3.7.28 is the currently-released version. The alias is only there to help Composer know that dev-develop is compatible with any Craft plugins listed in composer.json.)

[JordanMed]

@brandonkelly I've tried this fix using dev-develop as 3.7.28 + composer update and I'm still receiving the same 403 and 404 errors. there are no [error] 's in my log files. I've sent support a copy of my log files as well as other requested files. Here is a little more info about my craft set up. I have a multi site website (english and french) with both versions enabled. This error shows up when my entires are disabled. So if my english and or french site has an entry disabled and I try and preview the entry I get a 403 or 404. I must enable the entries to be able to preview in any way. I'm also getting this error on unpublished drafts, so if i create a draft on an existing enabled page I can't preview the draft. I have to apply the draft make sure the page is enabled and then I can preview.

[JordanMed]

So I spent some time reverting changes from 3.7.25 and found that changing these lines only back to what was originally there, seems to fixes all of my problems. src/templates/_layouts/element.html

Change this line back.
{% set previewTargets = saveDraftAction ? element.getPreviewTargets() : [] %} -> {% set previewTargets = element.getPreviewTargets() %}

Add back the following section. 
{% if isDraft %}
    {% do craft.app.session.authorize('previewDraft:' ~ element.draftId) %}
{% elseif isRevision %}
    {% do craft.app.session.authorize('previewRevision:' ~ element.revisionId) %}
{% else %}
    {% do craft.app.session.authorize('previewElement:' ~ element.id) %}
{% endif %}

[brandonkelly]

Add back the following section.

That section is still there; just on condition that previewTargets has a value:

https://github.com/craftcms/cms/blob/31adfdb31f6f01b1797d380f2cda715ea9bda5ab/src/templates/_layouts/element.html#L77-L85

previewTargets must be getting defined for you, otherwise you would not have “Preview” and “View” buttons to begin with. So I’m not really sure how that change could help.

I wonder if maybe the issue was that the layout template wasn’t compiled correctly for some reason, and simply making any change to it was what fixed it. Can you try reverting that file to what’s on dev-develop again, and see if it still works?

[JordanMed]

@brandonkelly I've reverted back to whats on dev-develop and the errors come back. But I have now found that the problem is coming from when I first open/refresh an entry, if i click view before preview I'll get the errors. Almost as if I need to click the preview button to create "previewTargets" to get into that block of code.

Doesn't work

1. open or refresh page of an entry.
2. click view button and receive 403
3. click preview button and receive 404.

Works

1. open or refresh page of an entry.
2. click preview button and see the live preview
3. click view button and get a tokened version of the entry.

[brandonkelly]

Doesn't work

1. open or refresh page of an entry.
2. click view button and receive 403
3. click preview button and receive 404.

And just to confirm, you are seeing this regardless of whether you make those _layouts/element.html template changes right? (Just to rule that out as a false flag.)

When you get the 403, does the URL still show the admin/actions/preview/create-token URI?

[JordanMed]

@brandonkelly Yeah i'm getting that error with or with out the changes to _layouts/element.html

This is my URL when I get the 403

http://localhost/index.php?p=admin/actions/preview/create-token&elementType=craft\elements\Entry&sourceId=511305&siteId=1&draftId=4663&provisional=1&previewToken=eJS1Bc9hJZ0YGlB8yWXdp0qvJWPErqnP&redirect=http%3A%2F%2Flocalhost%2Fen%2Fnew-provider-claims-portal%3Fx-craft-preview%3DR6C6HiDCvM%26token%3DeJS1Bc9hJZ0YGlB8yWXdp0qvJWPErqnP

[brandonkelly]

In lieu of a stack trace from the logs (which itself is strange – those 403s should definitely be getting logged with a [error][yii\web\HttpException:403] log prefix), can you go to /admin/myaccount#prefs and enable the preference:

Show full exception views when Dev Mode is disabled

Then reproduce the 403 error and post a screenshot of the stack trace (cramming as much of it as you can into it)?

[JordanMed]

I've enabled that and I'm still not getting a stack trace.

[brandonkelly]

Aha… the request isn’t even making it to Craft! Which explains why it’s not getting logged.

Most likely this is happening because some sort of security-conscious module on the web server is concerned about the request, such as Suhosin or mod_security. Check with your host to see if either of those are installed.

[JordanMed]

I am using apache with mamp on my local and apache on my stagign site which is built on AWS.

I found switching to nginx fixed the problem on my local.

Would anyone on the team be able to try to reproduce the error with mamp and apache using just out of the box settings. That way my team can know if there is something specific that needs to be set. Currently there are no specific requirements in the craft docs for apache.

[angrybrad]

@JordanMed can you share the contents of your .htaccess file?

[JordanMed]

@angrybrad no problem, i don't have a lot of experience with htaccess files. i'm just using one that was given to me long ago.

<IfModule mod_rewrite.c>

    RewriteEngine On

        RewriteRule ^wp-admin.php$ - [NC,R=410,L]

        RewriteCond %{QUERY_STRING} (eval\() [NC,OR]
        RewriteCond %{QUERY_STRING} (127\.0\.0\.1) [NC,OR]
        RewriteCond %{QUERY_STRING} ([a-z0-9]{2000,}) [NC,OR]
        RewriteCond %{QUERY_STRING} (javascript:)(.*)(;) [NC,OR]
        RewriteCond %{QUERY_STRING} (base64_encode)(.*)(\() [NC,OR]
        RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|\[|%) [NC,OR]
        RewriteCond %{QUERY_STRING} (<|%3C)(.*)script(.*)(>|%3) [NC,OR]
        RewriteCond %{QUERY_STRING} (\\|\.\.\.|\.\./|~|`|<|>|\|) [NC,OR]
        RewriteCond %{QUERY_STRING} (boot\.ini|etc/passwd|self/environ) [NC,OR]
        RewriteCond %{QUERY_STRING} (thumbs?(_editor|open)?|tim(thumb)?)\.php [NC,OR]
        RewriteCond %{QUERY_STRING} (\'|\")(.*)(drop|insert|md5|select|union) [NC]
        RewriteRule .* - [F]

        RewriteCond %{HTTP_USER_AGENT} ^Anarchie [OR]
        RewriteCond %{HTTP_USER_AGENT} ^ASPSeek [OR]
        RewriteCond %{HTTP_USER_AGENT} ^attach [OR]
        RewriteCond %{HTTP_USER_AGENT} ^autoemailspider [OR]
        RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR]
        RewriteCond %{HTTP_USER_AGENT} ^Xenu [OR]
        RewriteCond %{HTTP_USER_AGENT} ^Zeus.*Webster [OR]
        RewriteCond %{HTTP_USER_AGENT} ^Zeus
        RewriteRule ^.* - [F,L]

        # Force the www, but not on localhost
        RewriteCond %{HTTP_HOST} !=localhost
        RewriteCond %{HTTP_HOST} !^www\.
        RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L]

        # Send would-be 404 requests to Craft
        RewriteCond %{REQUEST_FILENAME} !-f
        RewriteCond %{REQUEST_FILENAME} !-d
        RewriteCond %{REQUEST_URI} !^/(favicon\.ico|apple-touch-icon.*\.png)$ [NC]

        # Exclude asset folders
        RewriteCond $1 !^(assets|uploads|MGH|mobile)/ [NC]

        RewriteRule (.+) index.php?p=$1 [QSA,L]
</IfModule>

[angrybrad]

@JordanMed As a test, try changing that to Craft's stock .htaccess (https://github.com/craftcms/craft/blob/main/web/.htaccess) and see if the behavior changes for you.

[JordanMed]

@angrybrad looks like the problem is coming from this block of my htaccess. Thanks for all the help everyone

        RewriteCond %{QUERY_STRING} (eval\() [NC,OR]
        RewriteCond %{QUERY_STRING} (127\.0\.0\.1) [NC,OR]
        RewriteCond %{QUERY_STRING} ([a-z0-9]{2000,}) [NC,OR]
        RewriteCond %{QUERY_STRING} (javascript:)(.*)(;) [NC,OR]
        RewriteCond %{QUERY_STRING} (base64_encode)(.*)(\() [NC,OR]
        RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|\[|%) [NC,OR]
        RewriteCond %{QUERY_STRING} (<|%3C)(.*)script(.*)(>|%3) [NC,OR]
        RewriteCond %{QUERY_STRING} (\\|\.\.\.|\.\./|~|`|<|>|\|) [NC,OR]
        RewriteCond %{QUERY_STRING} (boot\.ini|etc/passwd|self/environ) [NC,OR]
        RewriteCond %{QUERY_STRING} (thumbs?(_editor|open)?|tim(thumb)?)\.php [NC,OR]
        RewriteCond %{QUERY_STRING} (\'|\")(.*)(drop|insert|md5|select|union) [NC]
        RewriteRule .* - [F]

[angrybrad]

@JordanMed Guessing it'll be this one:

RewriteCond %{QUERY_STRING} (127.0.0.1) [NC,OR]

But can you try removing them one at a time to narrow it down?