Support

Admin Tools

#9841 K2 items not edit with 'backend protection'

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Saturday, 16 April 2011 15:51 CDT

Friday, 15 April 2011 18:37 CDT

mneese
I have K2, virtuemart using k2mart as front-end...when I have back-end protection enabled, I cannot edit the k2mart items...

Is this exception handled by listing virtuemart directories, or K2 directories? Any suggestions on which directories to start with?

Friday, 15 April 2011 18:59 CDT

slaes
do you mean you cant edit k2 items from front end or back end with back end protection enabled.

personally i have not ran into this issue and run man configs like that. if its j1.6 good luck! my advice would be uninstall and go back to j1.5

my best guess would be its more likely to be a k2 exception and in fact exceptions for such things are covered very well in the manual

Saturday, 16 April 2011 01:18 CDT

nicholas
You should follow these instructions for determining any required exceptions. Most likely you need some VirtueMart exceptions, as it seems to be using stray PHP files scattered throughout its backend to do pretty much anything.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Saturday, 16 April 2011 12:28 CDT

mneese
Sorted through using process as described and it was multiple levels of exceptions required...

The files are in the administrator/components/....directory..is it best practice to allow direct access to a particular js file, or to list the back-end directories...which is safer?

@slaes...joomla 1.5 and backend editing...I don't think 1.6 can use either K2 or virtuemart...

Saturday, 16 April 2011 15:51 CDT

nicholas
The best approach is to add exceptions for individual files. If you are lazy -like me!- you may add an exception for the folder that contains all the JS files you want to allow access to. Never, ever, allow full access (including PHP files) to a directory unless there is absolutely no other way to do that, i.e. when the file names are not predictable. Also, you should never allow access to an entire folder tree (like /components) just to get a single Javascript file working.

The back-end and front-end protection is tough to configure properly and requires a lot of trial and error. On the up side, it minimises the possibility of having a hacker install a backdoor script (e.g. a C99 variant) and use it to gain full access to your site. Even if the hacker manages to bypass all protections (like sane permissions, UploadShield, etc) he won't be able to access the malicious PHP file he uploaded. That's the true power and raîson d'être of this kind of protection.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!