joomla / joomla-cms

Home of the Joomla! Content Management System
https://www.joomla.org
GNU General Public License v2.0
4.79k stars 3.66k forks source link

J4 - in Media Manager "Error deleting the item" #35848

Closed aminweb2 closed 2 years ago

aminweb2 commented 3 years ago

Steps to reproduce the issue

in Media Manager I can upload and edit images, but I can not any rename and delete items. say this error: "Error deleting the item."

Actual result

click on Delete: DELETE | https://www.site.com/administrator/index.php?option=com_media&format=json&mediatypes=0,1,2,3&task=api.files&path=local-images:/logo/admin.jpg Status: 403 Forbidden Response: Forbidden You don't have permission to access this resource.

System information (as much as possible)

Joomla4 - PHP 8.0.11

richard67 commented 3 years ago

@aminweb2 Does that also happen when working as super user? Those should have the permission to delete items, but other user groups like e.g. Manager or Administrator don't have that permission by default. You can change permissions by going to the medial manager, then using the "Options" button and there going to the "Permissions" tab. Check the "Delete" permission. If it is not allowed, you can change it there for that particular user group.

Please report back if you had used a super user or another kind of user and if the latter if changing the permissions as described works for you. Thanks in advance.

aminweb2 commented 3 years ago

@aminweb2 Does that also happen when working as super user? Those should have the permission to delete items, but other user groups like e.g. Manager or Administrator don't have that permission by default. You can change permissions by going to the medial manager, then using the "Options" button and there going to the "Permissions" tab. Check the "Delete" permission. If it is not allowed, you can change it there for that particular user group.

Please report back if you had used a super user or another kind of user and if the latter if changing the permissions as described works for you. Thanks in advance.

yes ,happen when working as super user also : It works when I move the website to a localhost. But in real hosts, this problem is observed.

brianteeman commented 3 years ago

the 403 is a server message not a joomla message

aminweb2 commented 3 years ago

the 403 is a server message not a joomla message

yes, how solve it? i used PHP 8.0.11

drmenzelit commented 3 years ago

Do you have the correct permissions / owner in your images folder?

Neunender commented 3 years ago

I have a similar problem, that i can't upload any file with the Media Manager from J4 in the Backend. In the Frontend with the same user it works. When i use the JCE File Manager it works also in the Backend and i can upload files, but not with the J4MediaManager.

I backuped another working J4Site with Akeeba from another provider (1blu). Then i restored it on the "problem"-server of the Provider "ionos.de". The result is, that the upload in the Backend breaks. It doesn't work at ionos.de I tried php 8 and php 7.4 with MqSQL 5.7 and different browser. I get an 403 by error investigate/report in the browser. "https://j4.kasino-wahn.de/administrator/index.php?option=com_media&format=json&mediatypes=0&task=api.files&path=local-images:/ 403"

Any idea? Thx


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/35848.

Neunender commented 3 years ago

One more addition: the user I use is SuperUser


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/35848.

Neunender commented 3 years ago

UPDATE: i found a solution on https://forum.joomla.org/viewtopic.php?t=987786 The file-upload in Media Manager works with ionos, when i create an empty php.ini file in the administrator directory.

"By accident i figured out something strange. I just created an empty php.ini file in joomla-root/administrator and this resulted in diffent values for post_max_size and memory_limit. -> I tried to upload a file and it worked.

I deleted the php.ini and it doesn't work."


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/35848.

richard67 commented 3 years ago

That's a know issue with IONOS as far as I know. There have been many posts in the German Austrian Swiss Facebook group and elswhere.

jjnxpct commented 2 years ago

I also have this issue. We are starting to use Joomla 4 (v 4.0.5 - PHP 8) and I also can not delete files from the media manager. I CAN upload images. But not delete or rename. I get an error message. Also, changes / edits made to the image are not saved. Logged in as Super User. We use CLoudLinux on or server. We have not had issues with J3 sites on the same server,

We also installed JCE and we CAN delete an image from the JCE filemanager. So this leads me to believe this is nog a server configurations issue or a folder/file right issue. But I might be wrong.

I do have the 'upload_tmp_dir' not set warning. Maybe this is related to not being able to delete files in the media manager? This error is a weird one I believe. Still trying to figure that out. Others are too: https://joomla.stackexchange.com/questions/20835/how-can-i-fix-the-php-temporary-folder-is-not-set-warning-error

Thought and suggestions are welcome. I'm really looking forward to start working with J4!

EDIT: I looked at the server logs and notices this when I tried to delete an image:

[Thu Dec 16 12:05:24.163800 2021] [allowmethods:error] [pid 2997588:tid 140135094859520] [client 77.166.119.59:53708] AH01623: client method denied by server configuration: 'DELETE' to /home/**********/domains/**********l/private_html/administrator/index.php, referer: https://**********/

So this might be something our hosting provider can have a look at...

jjnxpct commented 2 years ago

I have contact our server host about this. They tell us the DELETE method is not allowed in the server configuration (apache). This has never been an issue (Joomla 3) and also JCE editor seems to be able to delete files. So I am wondering why the Joomla Media manager uses this DELETE apache method? (Not sure exactly what this means...)

I also don;t know if this is related to this issue here. But it does cause an error on our Joomla 4 site.

Some Info about this server config method:

https://docs.directadmin.com/webservices/apache/customizing.html#enabling-put-and-delete-methods-in-apache-nginx

I could just ask them to allow the method 'DELETE' but this seems to be a security issue. And I don't want allow something on the server when I do not understand why this need to be allowed.

So I hope someone can explain this and maybe (also) find a way to let Joomla delete files without this method enabled?

tramber91 commented 2 years ago

Same issue on my side Joomla 4.0.6. If I follow @jjnxpct seems I have to install JCE to do the job today !!


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/35848.

drmenzelit commented 2 years ago

I have a customer on a IONOS server (MySQL 5.7.36 and PHP 7.4.25) using the TinyMCE and the Media Manager, I can upload, edit and delete files without problems, I can't confirm this issue.

tramber91 commented 2 years ago

On my side, website is hosted at o2switch (php 7.4.26 mysql 10.3.32-MariaDB). At this moment i use only TinyMCE i want to keep. I've got only error message when i want to delete a picture. No other message even if i enable "error message" in config.

I have other Joomla websites in same server. No Problème to delete picture via media manager in Joomla 3.10, issue seems to be only in joomla 4 @+

jjnxpct commented 2 years ago

I do think this is an issue with the server setting regarding the 'DELETE method' as mentined before. I think the new Media Manager is using a diffrent way of managing (create, edit, remove) images. And this is also different from how JCE does it and how the J3 Media editor did those things.

I am not a technical expert but is seems like the server (Apache) needs 'perissions' to delete files (also folders). There are also other ways to delete a file (JCE can on the same server). But the media mager uses this server DELETE function. I think....

Our hosting provider has diabled thie DELETE option on our server for security reasons., this has never been an issue with other application / sites on out websites. J3 also has no issues with this server configuration.

So in our case the queston is: Can the Media Manager be changed to use a different way of managing the files (like JCE does) or should we ask our provider to allow this DELETE function on the server to solve this issue?

Maybe a first step would be to have someone how knows / wrote the Media Manager code to let us know if this makes any sence at all? And why this DELETE function is implemented this way?

NicolasJOS commented 2 years ago

Hi, same Problem.

Joomla 4.1.0 JCE editor installed, Hosting OVH

JCE is able to erase what ever has to be erased ... Joomla Media manager can't ...


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/35848.

NicolasJOS commented 2 years ago

News about this issue ...

On french forum i found a post saying "Disable firewall" on hoster's server. The problem is still here. Unable to delete files or folder using Joomla media manager. JCE still ok to delete (Connected as super user, permissions checked)

Regards


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/35848.

jjnxpct commented 2 years ago

@NicolasJOS Have you assked your hosting provider if the apache DELETE method is (or is not) allowed in the server configuration? If this is not allowed that would confirm this is the issue here.

jjnxpct commented 2 years ago

I think usually deleting files from within a webapplication is done by the unlink() PHP function. I suspect the media manager is using a HTTP method to delete the file. (Like a POST an GET, but in this case a DELETE). On our server the HTTP methods OPTIONS, PUT en DELETE are turned of for security reasons. I am not sure where to look i the Media Manager code to check what delete method is use. If this is not the HTTP DELETE method then we can try to figure out what else could cause this issue on our sites/server.

NicolasJOS commented 2 years ago

Ok just asked my provider.

They Gave me a link to a nearly 350 pages reference about the server configuration. I don't really know where to search in it ...


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/35848.

NicolasJOS commented 2 years ago

Here it is

Your text to link here...


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/35848.

jjnxpct commented 2 years ago

Today I had our hosting provider change the Apache allowed methods to include DELETE on on of our sites. After this i was able to delete an image. On others sites this method is not allowed an I can not delete an image,

The acces log shows this line: 77.166.119.59 - - [30/Mar/2022:17:06:49 +0200] "DELETE /administrator/index.php?option=com_media&format=json&mediatypes=0,1,2,3&task=api.files&path=local-images:/jip_jonker_2021_1

So this confirms (in my case) that the issue is caused bij the Media Manager using the DELETE method to delete images. Correct?

Some background info about allowig / disalowing the DELETE method on Direct Admin: https://docs.directadmin.com/webservices/apache/customizing.html#enabling-put-and-delete-methods-in-apache-nginx

So my questions is why this method is being used in stead of for emample the PHP unlink function? My host let's me know that not allowing the delete method is standard practise for them on server and most of the time this is not an issue. Because allowing DELETE (according to them) is a security risk fot the server.

I hope there is someone out there that knows the Media Manager code and can let confirm the use of this DELETE function and maybe explain why this is used.

We also use the JCE editor and their meida manager has nog issues deleting images / files when the DELETE method is not aloowed. So they have chosen a different approach to deleting files.

Any thoughts on this? Or should I just have my hosting provider allow the DELETE method and be done with it?

NicolasJOS commented 2 years ago

Hi everyone,

I totally agree with @jjnxpct !

Most of providers won't accept to change their security policy. And this issue can be very disabling for newcommers.

Regards


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/35848.

brianteeman commented 2 years ago

Time to move to a web host that understands security

NicolasJOS commented 2 years ago

I hope you understand that moving to another host is not so simple. All the clients ar not on their way to accept it.


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/35848.

jjnxpct commented 2 years ago

Time to move to a web host that understands security

Can you elaborate on this? Do you think that enabling the DELETE method is not a securty risk? I think my hosting provider knows pretty good how server security works. So your statement is a bit hash. Besides that, they are willing to change this for me. If I decide to have them enable the DELETE method they will do it. So it's basically my choice. So this makes it my responibility and your're right. But I am not an expert on server security. So I need to rely on my hositng provider and maybe other sources, like people on GitHub.

I do think we can confirm this method of deleting files is used. Correct? is there anyone able and willing to explain why this method is used and wgy this is not a security issue and I can safely have my hosting provider add the DELETE method?

I do think when developer make a choice for this method they probably do have researched the security implications. If not. maybe this would be the time to do this?

But if no one can (or is willing) to explain this here, I'll just move on. No hard feelings...

jjnxpct commented 2 years ago

I did some more research and also asked my hosting privider to provide me witjh some more info on this. I learned (and corect me is I am wrong) the DELETE method is being use more and more when working with Restfull API. IN the past the DELETE method has been used by application exploits to do some damage to webservers / websites. This has been a reason to block this method. In most cases this is not a big issus because a lot of online application do not use this DELETE method, but other means of deleting files.

The developers of the new media manager (or someone else) have apparently decided to use the http DELETE method in the code. This causes the issue of not being able to delete files on servers that do not allow this http DELETE method.

According to my hosting provider the DELETE method is only 'dangerous' when it is be used by vulnarable (old / bad) software. So when our server does not host old or vulnarable sofware it would not be a hugh risk to enable the DELETE method, thus accomodating the way the new media manager uses this to delete files.

In our case we only use our server to hist our clients website (we have full control over the websites, not the clients), and 95% are Joomla websites and all up-to-date I would think we are not at risk of abuse of the DELETE method. So I think it would be safe to enable this on our server.

One interesting thing our hosting provider also mentioned is that in order to delete a file it is also possible to - in stead of using the http DELETE method - use a POST method to tell PHP to delete a file. So I do think i would be possible to avoid using the DELETE method in Joomla. But I am not a developer and maybe this is more complicated then this ;-)

If there is someone out there that know the Media Manager code and can explain why the DELETE method is used that would be nice.

laoneo commented 2 years ago

The DELETE HTTP method is widely used for REST based API services. So does the official Joomla API, which was introduced in Joomla 4. Every delete request uses the DELETE method as you can see here. Google, Microsoft and Amazon (to name only a few) are using these methods since ages in their API's, heck even CalDAV, which is almost 20 years old, does understand the DELETE method. So this is absolutely fine to got that way also in media manager. Honestly I do not understand why a hoster is not allowing this in 2022. I'm closing this as expected behavior.

jjnxpct commented 2 years ago

@laoneo Thanks for sharing this. In my case our hosting provider is not unwilling to change this. I just wanted to figure out why this method was blocked (there must have been reasons for this) and why this has become an issue with Joomla 4. Now I understand this is because of API service and that this is widely used. I will have our provider change this on our server so we can move on. Thanks!

johnmlhll commented 2 years ago

Noted VPN is causing denies, so I disabled mine and the delete worked.


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/35848.