Thread

I’ve had reports about a site where members with CP access get ‘You are not authorized to perform this action’ when trying to log in with admin.php. But if they use a log in form on the front end of the site and then go back to admin.php, they can get in OK.

Any idea why that might be happening?

Did you check your file permissions? Perhaps the admin.php file is balking…

Sorry should’ve mentioned that the problem only affects users when trying to connect from certain networks. I can get in from where I am no problem. My client who is between me and the end client also has no problem. But the end client, at their location is the one who has the problem.

Hi, Tyssen,

Has the client with the problem chatted with their network security? I suspect that they’re revolving IPs in some way.  Can that same client login from outside that network?

We’ll figure this out, just need to do some more discovery along the way.  Thank you!

The client’s IT providers aren’t being very helpful, they say there’s nothing unusual about their set-up. But the client can log in to the CP outside their usual work network.

Hi, Tyssen,

I hate to say it, but this is very much isolated to the client’s network.  Their security probably has some logging that would give us a clue to what is going on, and possibly allow them admins to bypass that for this client.  But it is not something that you or I can do for them.  Does that make sense?

What you can do is try to turn off items such as Secure Forms, Require IP address and see if that helps your client.  You’ve been using EE for awhile so I am fairly confident you know where those settings are - but if you need me to walk you through the clicks, please let me know?

Requiring IP had already been turned off, and had played around with the cookie/session settings. Have just turned off secure forms so will need to go back to them to check.

One thing that I’ve just noticed is that the admin login form has ‘Auto log-in on future visits?’ with a checkbox on it. Where does that come from?

Hi, Tyssen -

That shows up if Cookies only is set for the control panel, so it is related to those security settings.

Also, I see this: “You are not authorized to perform this action” - this can also happen if the IP has been banned -or a partial IP.  If you’ve got an IP ban list going on, you might find out this fellows IP (My favorite way to do this is to google “what is my IP” - shows at the top of the search results) and double check that it is not, in fact, banned. 

And you’ve tried with sessions only for the admin and user side? I know you played with cookies, just want to confirm that combination was tried.

Thank you!

No IP banning going on, the blacklist module isn’t installed. And yes, have tried sessions only, cookies only and sessions/cookies. I posted this thread in the hope that there might be some clue as to what’s different between the normal CP login form and the one that gets used in templates, as the latter works OK for them.

Tyssen -

I am curious, if you set both user and admin session to cookies only, then have your user login via the front-end form - are they logged into the back-end?

Are you running your CP with SSL by any chance?

Thank you!

Yes, that’s what I said in the opening post of this thread, and no, no SSL.

Sorry about that, Tyssen!

Is using cookies only and a front-end form with a link to the CP a possibility?

Also - can you ask your client to try from a different browser? I just want to rule out browser add-ons, etc.  Even an incognito window in Chrome would be a good test.

My concern is that logging in won’t help - because you can’t reproduce it; I don’t have a reason to think that I will be able to.  Troubleshooting and fixing this one - especially without the help of your client’s network admins - could prove nearly impossible.

Is using cookies only and a front-end form with a link to the CP a possibility?

Yeah I guess so if that’s the only other option.

It is a relief to know he is not locked out of the CP.  Did you find out what browser he uses, and if this problem appears across all browsers?

No, haven’t found out yet.