Fix “You are not authorised to view this” when mod_expires enabled

[PhilETaylor]

THE ULTIMATE FIX !!!!!

Closes #8731 Dec 18, 2015
Closes #8757 Dec 21, 2015
Closes #9013 Jan 28, 2016
Closes #9145 Feb 17, 2016
Closes #9615 Mar 26, 2016
Closes #10753 Jun 7, 2016
and many many more...

To replicate the root issue with minimal configuration

To replicate the issue - with 100% reliability:

1. Install LAMP & Joomla
2. Enable expires module in apache
3. Add to .htaccess

ExpiresActive On
ExpiresDefault "access plus 30 days"

4. Attempt to edit a content item BY CLICKING ON THE TITLE of the content item in admin (and NOT using the checkboxes!)

5. Do this twice, note on the second attempt you get

"You are not permitted to use that link to directly access that page (#n)."

6. Note that on subsequent clicks the error goes away but it is still impossible to get to the edit page by clicking on the title of the content

7. Note that if you open Google Dev Tools Panel, Network Tab, and enable Disable Cache that the problem "disappears" and while disable cache is enabled, you can edit the item by clicking its article title.

The root cause of the problem

The root cause of the problem is that with the Expires Module enabled in apache, responses from Joomla, which are redirects, are not outputting the correct headers, which allows browsers to cache the redirects. On subsequent visits the browser "skips" evn asking Joomla for a response, and simply "skips" over the request and opens the redirect destination url. Unfortunately the "skipped" url checks out the item for the user and is a prerequisite to the edit form being able to load - as this is "skipped" there is no check out record in the session and so a not authorised message is displayed instead.

The solution this PR makes

The final solution to resolve this issue is two fold:

1. Ensure that any "edit" controller action is not cached by the use of JFactory::getApplication()->allowCache(FALSE);
2. Instead of closing the connection at the edit fo the redirect method, correctly run the ->respond() method which correctly checks if the response is cacheable and if not, sets appropriate headers

NOTE TO TESTERS

IF YOU ALREADY HAVE CACHED URLS IN YOUR BROWSER, (or hitting a known Google Chrome bug https://bugs.chromium.org/p/chromium/issues/detail?id=91740) THEN THIS NEW CODE IS NOT EVEN RUN - DO NOT REPORT THIS PR IS NOT WORKING FOR YOU, BECAUSE IT DOES WORK IF THE CODE IS "RUN". Simply clearing your browser cache IS NOT ENOUGH sometimes, REDIRECTS ARE STILL CACHED!

YOU CANNOT test this on a server you dont have full access to - like Site Ground demo, people (like @durian808) will not be entertained in this PR comments should they attempt to rail road the comments again. Personal attacks will not be tolerated either.

It you do not have FULL CONTROL over your apache server, .htaccess, and a FULL UNDERSTANDING of the above issues, please DO NOT ATTEMPT to test this PR.

Hattips, Thanks, And Patience and pinging others ...

@ggppdk @mbabker @lyquix-owner @gwsdesk @brianteeman @durian808 @karendunne @OzzieBob @MATsxm @andrepereiradasilva @lukasz-pawlowski @revers28 @level420 and many many others.

[dgrammatiko]

I have tested this item ✅ successfully on 1d28e54

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/13516.}

[mbabker]

You still need to call $this->close(); otherwise the application code will continue to process when it is expected that calling redirect results in PHP's exit() being triggered.

[mbabker]

1. Is it just the edit task needing this directive?
2. Are there any components in core extending this class and overriding this method?

[ggppdk]

@durian808

As most of you know, I was able to precipitate this problem easily on the SiteGround server, without any special setup

The "without any special setup" case,
is not fixed in this PR (rare / random case occurence of the error),
identified as "RACE conditions" during updating user session

so you do not need to post here , that it does not work in some rare / random cases,

The cases that should be fixed by this PR, are due to browser caching the redirect to the edit form

• either due server configuration sending default HTTP headers instructing browser to cache
• or due to missing headers regarding cache behaviour, some browsers , sometimes deciding to cache the redirect

[ggppdk]

have been unable to replicate a TRUE race condition relating to this ever. Therefore I believe it can be ruled out.

hhmm, i am just saying that this PR is good in fixing the caching case, the RACE conditions issue is irrelevant to fixing caching, it is simply a ... different case

to explain more about race conditions, i mean this:

In Joomla articles manager

• during 6-8 seconds, quickly middle click (to open in new browser TAB / Window)
  on 20 article editing links

Some of them will fail, e.g. 3-6 of them should fail (yes not 1 failure but several)
and message will appear propably only 1 or 2 times

Please note that on failure the Joomla articles manager will appear sometimes WITHOUT the error message (because multiple "same text" enqueued messages are displayed once and then of course cleaned by the first page view to be able to read them)

It is happening like this:
thread 1 e.g. gets as (existing) editable ids array (31,35)
thread 2 e.g. gets as (existing) editable ids array (31,35)

thread 2 adds 47 and saves array (31,35, 47)
thread 1 adds 58 and saves array (31,35, 58)

Now the editable ids are (31,35, 58) you see that id 47 is missing

[lyquix-owner]

I confirm that this PR fixes the issues I had observed when opening/editing Users, Articles, Categories, Modules, Plugins, and Templates. 👍

[lyquix-owner]

From my perspective the issues solved by the PR are significantly more prevalent and disruptive than the race conditions issue.

[dgrammatiko]

I have tested this item ✅ successfully on c766975

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/13516.}

[dgrammatiko]

I'll set this to RTC, but more tests are welcome!!!
Thanks @PhilETaylor great stuff

[lyquix-owner]

Thanks very much for looking into this issue!

[ggppdk]

I have tested this item ✅ successfully on c766975

My initial comment was to prevent irrelevant and partly frustrating, useless comments, of someone thinking that it fixes a different issue / case too,
despite the fact that this has been discussed extensively

i never implied something negative of this change, (as long as we test it of course like any PR)
in fact i had asked for these changes in the other PR, i am happy that someone took time to do it

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/13516.}

[ot2sen]

I have tested this item ✅ successfully on c766975

As described in testing instructions this PR solves the 'You are not permitted to use that link' that do appear on second try. After patch you can edit again with no issues seen. Thanks @PhilETaylor nice solution.

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/13516.}

[gwsdesk]

I have tested this item ✅ successfully on c766975

I have tested this item ✅ successfully

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/13516.}

[laoneo]

I'm getting this error also when the cache plugin is on and a I try to directly open a link on the front end from a menu item which has access to registered. Is this related to this one?

[Bakual]

@durian808 Please open a new issue for the race condition if you feel it is important. Don't derail this PR which explicitely is not about that.

Also an obvious one: please all stop attacking eachother. It's bad enough this has to be said.

[laoneo]

Yes the menu item. I'm logged in with remind me enabled. After a few hours of not browsing the site, when I directly want to open that registered link, it gives me the error.

[dgrammatiko]

I'm logged in with remind me enabled. After a few hours of not browsing the site, when I directly want to open that registered link, it gives me the error.

@laoneo after all this time do you have any errors logged in the browser's console before hitting the link?

[laoneo]

@DGT41 no, it redirects me to the start page.

@PhilETaylor ok, just tough because it is the same error message, probably the caching needs to be disabled on another place as well.

[laoneo]

@PhilETaylor that's what I thought at beginning as well, but my session hasn't expired. I'm still logged in after the error. But I don't want to pollute this PR anymore. Will set up another issue.

[rdeutz]

I merge a lot commits, most of the time these are tested and have a RTC state :-)

[GASOLINE]

Thanks Phil,
I assume Joomla will implement this in the next update? I'v got this on all my and clients sites. Annoying.

[Bakual]

It's merged, so it will be in Joomla 3.7.0

[paulcu]

Apologies if this is a rehash but in case this provides a little more information - - -

We have a clean install of v3.6.5 which we've been working with for a couple of weeks without this issue, and today it appeared. What we are seeing is:

1. As described above this is occurring when clicking on admin links for all Articles but also for the links in Modules and Categories. We haven't seen this happen with menu items.

2. Selecting the checkbox to the left of an Article, Module, or Category and then using the EDIT button doesn't replicate the problem and we can repeatedly access.

3. When we clear ONLY 'cached images and files' in Chrome, it temporarily fixes issue but as described above the second attempt gives us the error. Same with Safari and we haven't tested other browsers.

4. PHP v 5.6.29

   ---

   _{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/13516.}

[Lumiga]

Exactly the same issue over here.

For me the best solution was to moving away from the hoster mijndomein.nl to byte.nl which is one of the best Joomla hosting company in the Netherlands.

So in my opinion it has something to do with the hosting company.

[gwsdesk]

Stop promoting your hosting company. This has nothing to do with hosting

[demis-palma]

This same patch exists here: #12504 and can be closed now.