Element Editor Slide Out - Will Not Save Updates [4.9.6]:

[jasonmckinney66]

What happened?

Description

When attempting to save edits of any kind using the Element Editor Slide Out in axios.js, the following error is produced in the console:

https://starter.local/admin/?v=1719525545458 403 (Forbidden).

The error occurs in axios.js?v=1717534793:2 which I'm including here b/c it seems like these numbers are supposed to match?

Steps to reproduce

1. Saving any edit created using the element editor slide out

Expected behavior

The item should be saved.

Actual behavior

A toast error appears in the admin "A server error occurred." as well as the error in the console.

This occurs local and on Cloudways (Digital Ocean) servers. Have already attempted disabling all plugins.

Craft CMS version

4.9.6

PHP version

8.0.8

Operating system and version

MySQL 5.7.34

Database type and version

No response

Image driver and version

No response

Installed plugins and versions

- Asset Rev 7.0.0 CKEditor 3.8.3 Default Dashboard 2.0.1 Do It Yourself widget 3.0.0 Do It Yourself widget for Craft CMS Position Fieldtype 4.0.0 Control Panel CSS 2.6.0 MatrixMate 2.2.0 Redactor 3.0.4 Redactor Custom Styles 4.0.3

[jasonmckinney66]

An update. When deployed to a server, the error is slightly different. The request url is insecure:

Mixed Content: The page at 'https://demo.bluecoastweb.com/admin/entries/pages/29-parent-page' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://demo.bluecoastweb.com/admin/?v=1719527468879'. This request has been blocked; the content must be served over HTTPS.

[brandonkelly]

That error suggests that your web server/infrastructure isn’t configured properly to tell Craft/PHP when it’s an HTTPS request.

There are a couple ways Yii detects HTTPS requests – see yii\web\Request::getIsSecureConnection().

[jasonmckinney66]

Thank for the response. We run several Craft Sites on the same server, deployed similarly without this issue. If there's a PHP module that is required that you think we might be missing in this case, please provide and I will investigate.

Additionally, the issue occurs on my local version. My local environment is similarly running other sites without this issue.

[brandonkelly]

Are you setting the baseCpUrl config setting? If so, check to make sure it starts with https:// instead of http://.

[jasonmckinney66]

No I don't set that. Although I have some aliases that reference my env file that may be fouling something up: 'aliases' => [ '@baseRoot' => getenv('BASE_ROOT'), '@baseUrl' => getenv('PRIMARY_SITE_URL'), '@web' => App::env('PRIMARY_SITE_URL'), ],

.env: PRIMARY_SITE_URL="https://starter.local/" BASE_ROOT="/Users/jasonmckinney/Sites/starter/web/"

Any issues here you can see?

[brandonkelly]

Go to /admin/utilities/php-info and search for $_SERVER['HTTPS']. What is it set to?

[jasonmckinney66]

Thanks. It says "On".

[brandonkelly]

Can you try removing the @web alias? We don’t recommend setting that explicitly anymore (or using it within your site URL).

[jasonmckinney66]

Ah right. Removed. No change.

[brandonkelly]

Do you have the resourceBaseUrl config setting set?

[jasonmckinney66]

No. Here is my config file contents in case it helps:

`use craft\helpers\App;

$isDev = App::env('ENVIRONMENT') === 'dev'; $isStage = App::env('ENVIRONMENT') === 'staging'; $isProd = App::env('ENVIRONMENT') === 'production';

return [ // Default Week Start Day (0 = Sunday, 1 = Monday...) 'defaultWeekStartDay' => 1,

// Whether generated URLs should omit "index.php"
'omitScriptNameInUrls' => true,

// The URI segment that tells Craft to load the control panel
'cpTrigger' => App::env('CP_TRIGGER') ?: 'admin',

// The secure key Craft will use for hashing and encrypting data
'securityKey' => App::env('SECURITY_KEY'),

// Whether Dev Mode should be enabled (see https://craftcms.com/guides/what-dev-mode-does)
'devMode' => $isDev,

// Whether administrative changes should be allowed
'allowAdminChanges' => $isDev,

// Disable graph ql
'enableGql' => false,

// Whether crawlers should be allowed to index pages and following links
'disallowRobots' => !$isProd,

'aliases' => [
    '@baseRoot' => getenv('BASE_ROOT'),
    '@baseUrl' => getenv('PRIMARY_SITE_URL'),
],

];`

[jasonmckinney66]

[jasonmckinney66]

For the record. I solved the issue by omitting the following from the general config file: // Whether generated URLs should omit "index.php" 'omitScriptNameInUrls' => true,

[jasonmckinney66]

Actually, I needed that because my urls now look like this on the front end: https://starter.local/index.php?p=parent-page

[jasonmckinney66]

I worked around the issue by setting the cpTrigger to anything other than admin. I had also been having an issue with /admin throwing a forbidden error but /admin/login worked. Setting cpTrigger seems to remedy both issues so I'll go with that for now. 'omitScriptNameInUrls' => true, 'cpTrigger' => 'cp' Thanks.

[brandonkelly]

Interesting. Is your site behind Cloudflare or something, which might be caching control panel requests? If so you’ll want to exclude any URIs that start with the control panel trigger.

[jasonmckinney66]

We use varnish on production with the admin excluded in the VCL. But that doesn't explain the issue occurring on my local which is where I've been working on this. I'm going to keep poking around.