Warning: You do not have permission to access the API! YES AGAIN NOT A DUPLICATE

[hounw]

What version of OpenCart are you reporting this for?

3.0.3.7

Describe the bug
Unable to edit orders due to api permissions

To Reproduce

Installed on xampp local server, tried on macos and windows.

First, changed the timezone -> unable to login...

tried setting timezone in php.ini and my.cnf -> still no login

tried alternative setting $_['session_engine'] = 'file';

SUCCESS able to login... but now it's impossible to edit an order...

tried a solution on another issue

#6783

commeting out the three lines suggested here #6783 (comment)

Doesn't work either.

Expected behavior

Being able to login to admin and editing orders

Server / Test environment (please complete the following information):

• Local development xampp on macos with PHP Version 7.3.18/Xampp on windows php 7.4.14

Additional context

We tried the ocmod here https://www.opencart.com/index.php?route=marketplace/extension/info&extension_id=30437&filter_search=api%20error

and it works, but it completely removes a check which seems like a potential security issue (but I haven't dug in enough to know):

`

session->data['api_id'])) {]]>
<![CDATA[

		if (isset($this->session->data['me_loves_taco'])) {
		
		]]></add>
	</operation>		
</file>`

[ADDCreative]

Did you set $_['session_engine'] = 'file'; in both?

opencart/upload/system/config/default.php

Line 43 in 2a5b358

$_['session_engine'] = 'db';

opencart/upload/system/config/catalog.php

Line 20 in 2a5b358

$_['session_engine'] = 'db';

[Webkul-Opencart]

@hounw Not found this issue.

[hounw]

@ADDCreative as I tried to explain, yes, after changing the time zone in settings, and then setting it in php and mysql, I couldn't log in, the only way I could log in was by changing to 'file' on both files you suggest.

After that however I can no longer edit orders or add history to them (or anything else that requires the api I suspect...). When I searched the error the solutions involved this configs too so I think it's somehow related.

@Webkul-Opencart hello! you guys rock btw I've bought a few extensions. I assure you i'm not making this up, did you try setting a different time zone?... both me and the other dev are experiencing this in a xampp installation on macos and on windows 10 so it's definitely something (even across different versions of PHP).

Is there anything else I can do to help you diagnose this, db dump? I really don't have the time right now to dive all the way and debug this like I've done in the past (why I love oc) since I'm on a deadline and did not anticipate so many changes on oc3...

[ADDCreative]

@hounw Check none of config/catalog.php of config/default.php are in your modifications cache or refresh you modification after changing them. When I test I can edit orders as log as both session_engine values are the same. But some extension can modify these files.

[hounw]

@ADDCreative thanks, I checked and no mod has modified them (it's a pretty vanilla opencart installation, only spanish language and journal added).

Did you try changing the timezone, because that's where the issue started, in order to login after changing the timezone I HAD to change both to config files you mention to file, and then I was no longer able to edit orders...

[hounw]

@ADDCreative @Webkul-Opencart I dove in a little and found that the error is generated on the call to currency when editing an order here:

opencart/upload/admin/view/template/sale/order_form.twig

Line 952 in 2a5b358

url: '{{ catalog }}index.php?route=api/currency&api_token={{ api_token }}&store_id=' + $('select[name=\'store_id\'] option:selected').val(),

So here

opencart/upload/catalog/controller/api/currency.php

Line 8 in 2a5b358

if (!isset($this->session->data['api_id'])) {

The value for $this->session->data['api_id'] is not set (I cannot find where in the code it is set, I did a quick search of that and didn't find anywhere in the entire code where it's set and not just checked against).

So now it's making sense that if the front and back use different sess engines it would fail, however I have double-checked that the configs are both set to file and no luck.

[ADDCreative]

@hounw No I didn't change the time zone. I just tried it and got the same issue as you. See this post on two ways of correcting the time zone. https://forum.opencart.com/viewtopic.php?f=201&t=222369&start=20#p816440

[WebkulOpencart]

@hounw I am checking your this point.

@ADDCreative @Webkul-Opencart I dove in a little and found that the error is generated on the call to currency when editing an order here:

opencart/upload/admin/view/template/sale/order_form.twig

Line 952 in 2a5b358

url: '{{ catalog }}index.php?route=api/currency&api_token={{ api_token }}&store_id=' + $('select[name=\'store_id\'] option:selected').val(),

So here

opencart/upload/catalog/controller/api/currency.php

Line 8 in 2a5b358

if (!isset($this->session->data['api_id'])) {

The value for $this->session->data['api_id'] is not set (I cannot find where in the code it is set, I did a quick search of that and didn't find anywhere in the entire code where it's set and not just checked against).

So now it's making sense that if the front and back use different sess engines it would fail, however I have double-checked that the configs are both set to file and no luck.

[hounw]

@hounw No I didn't change the time zone. I just tried it and got the same issue as you. See this post on two ways of correcting the time zone. https://forum.opencart.com/viewtopic.php?f=201&t=222369&start=20#p816440

Well yes, that works! ...but that is not ideal. A common change clients request (so common it's part of our oc tunning now) is that they need to know exactly when an order is placed, not just the date, but time too, so... timezone is kind of important... Yes it can be fixed when we output the date but I think there IS a bug worth taking a look at here... maybe this is not high priority but the source of the bug could impact other important features right?

I'll try to make time to take a look at this in the next weeks but I'm not very savvy regarding sessions and login mechanisms...

[ADDCreative]

@hounw I agree and have been trying to highlight the issue in #9237 and on the forums.

The best workaround, which you may of done already, is to change the time zone in the settings to the value you need and also set date_timezone to the same value in system/config/default.php.

opencart/upload/system/config/default.php

Line 14 in 2a5b358

$_['date_timezone'] = 'UTC';

This seems to work for both login and order editing when I tested. If you don't what happens is the time zone get started with UTC. The session and API gets started with UTC. Then the time zone is set from the settings which can then make the session and API instantly expired.

The full solution would be to start the session after loading the settings. Which would require changing the start up order somewhat. Or remove the time zone setting form the settings completely and just configure it in system/config/default.php.

[hounw]

@ADDCreative ALAS! an effective workaround! I changed the timezone as indicated and now it works...

IMHO you can't serve 2 masters... you either make opencart more commecial (i.e. marketplace, no more mods, slower to develop/worse performance event driven modifications, etc) or more dev friendly... In the current direction oc is going (commercial) leaving a "feature" which completely breaks the system is not acceptable...

I think opencart should remain true to its roots, a great ecommerce framework for devs and not try to compete with wordpress and the likes... even if Daniel needs to charge for it hehe

[WebkulOpencart]

@hounw You can follow the below issue blog mention by @danielkerr
#6996

I am closing this issue.