Thread

I have a simple contact form on my site:
http://megancoleman.com/contact/

A user informed me that when they tried to fill out the form they got a page with the “You are not authorized to perform this action” error message. The email message still got sent to me though.

I can’t seem to duplicate the error, whether I’m logged in or not or using a different computer or email address. I’ve had one other person test the form and she got the error twice out of five times. But there wasn’t anything particularly unique about the times she got the error.

I did recently upgrade to EE2 (v2.3.1 Build: date 20111017). Only a few people have filled out my form since the upgrade, but only one has mentioned a problem. I never had this issue when I was running EE1 (that I was aware of).

Do you have any suggestions of things I could check? I’m not sure how to troubleshoot a problem that isn’t consistently happening.

Thanks.

Hi Meagan,

I just tested your form without issue so I can’t say for sure what may be causing this. What browser was your test user using? Can you confirm you received my email please?

Do you have any add-ons?

John,

Thanks for testing, I did get your email message.

I’ve tested the form in Chrome (mac/pc) and haven’t recreated the error. My friend tried Chrome, Safari and Opera and only got it in Chrome. But only a a few of the times she tried.

I’m just using the built in contact form. I have the Deeploy Helper module installed and the SmartDown plugin. That’s it.

Megan

Hi Megan

I tested in Chrome just there again but couldn’t see error. The fact that it is only localized to one of your users may suggest something else but is going to be difficult to troubleshoot further in those circumstances.

Do you have error logs for your hosting? Something might have shown up there in the background

Well, it’s actually happened with two different people. But I’m not sure what is similar about their circumstances.

I checked and couldn’t find any recent errors in the logs. Anything else that might cause it? Sorry this is so vague, but I’m not sure how to collect more data myself.

Hi Megan,

I believe that error comes from a basic security check that’s done to make sure a bot isn’t hijacking your form. One of the checks it performs is to make sure the user has an IP address. Is it possible that the users you’re having test this are behind a corporate firewall that shifts IP addresses around during a session? If they’re testing this at work, could you ask them to test it at a completely different Internet connection as well?

One of the users that got the error was just trying from home, so she isn’t behind a corporate firewall (or probably a personal one either). Would that happen if she’s using a WIFI connection?

Sounds like it’s time I had a first-hand look at this to see what’s going on. Be on the lookout for an email from me, Megan.

Thanks so much Kevin. Sorry I don’t have more information, this bug is bizarre!

Just a note to let all onlookers know that I’m working privately with Megan at the moment. I’ll post back here with details on the fix once I’ve got them.

After closer examination, we weren’t able to get the issue to present itself again. Megan will keep testing and update this thread if it comes back up!

I just experienced this exact same issue:
http://blendr.com/contact/submit/test

The form seems to work perfectly for me, but one of my coworkers got the message “You are not authorized to perform this action” when she tried it. We are also running v2.3.1 (build date 20111017 )

Please let me know if you find any new information on this. Thanks!

Hi Lindsey D,

This can also present itself if the contact form has a stale XID hash. This hash is a security measure and can become “stale” if the form is loaded from browser cache. If you have your coworker clear the browser’s cache before loading the form, do they still receive the error?

Cheers,

When she first tried the form, it had just been built (the form didn’t previously exist). So on her first attempt at using the new form, she received that error message.

I have since had her test the form again, and everything worked fine for her the second time.

Does that still sound like an XID issue?

Odds are good it’s the secure forms check.  I took a look at the code- if the user doesn’t have a valid ip or user agent, it can generate it.  If they’re blacklisted or their country code is banned- it should generate it (obviously unlikely in this case).  Or if they fail the secure forms check.  Basically- that records when they load the page- using their ip.  And if whoever loaded it isn’t the one to submit it- it fails.  So if they have a rapidly rotating ip, that could explain it.  Or if they let the page sit there a couple of hours before submitting- that can do it.  (I have fallen into that one a time or two, actually).

Those would be the biggies.  Just as a test- you can turn secure forms off in the Admin.  If the issue goes away- you know that was it.  However- I personally really prefer to run with it on as a check against automated spam.

Make sense what’s going on there?  If I had to bet- I’d guess she either had her ip switch up or perhaps hit the back button and thus duplicated the xid hash, triggering the error.