HTML Logo by World Wide Web Consortium (www.w3.org). Click to learn more about our commitment to accessibility and standards.

Moving forward with Composr

ocPortal has been relaunched as Composr CMS, which is now in beta. ocPortal 9 will be superseded by Composr 10.

Head over to compo.sr for our new site, and to our migration roadmap. Existing ocPortal member accounts have been mirrored.


[RESOLVED] Access Denied during upgrade from 7.1.6 to 9.0.2

Login / Search

 [ Join | More ]
 Add topic 
Posted
Rating:
#91653 (In Topic #18420)
Avatar

Fan in action

Hello forum,

I'm finally upgrading my production environment after testing v9 extensively.

I made an exact clone of my production site so I could test the upgrade and v9 and everything went fine without a hitch. 

Now, as I started to upgraded my production site, right after the the low-risk upgrading and before it starts to unpack the new files I get an Access Denied error.

I don't know where I can find a log that will tell me what's throwing this error or where to even begin to troubleshoot this issue.

Any help is very much appreciated.
Back to the top
 
Posted
Rating:
#91654
Avatar

Community saint

Do you have an exact error message/number?

Is your clone site on the same server as the production site?

If its an ocPortal error message then it will be in Admin Zone Audit Error log. Access denied error are shown at the bottom of the page.

If its a server error it should be viewable in cPanel -> Error Log, at least basic info on the error.




Do you have a Samsung Galaxy S / Galaxy S II ? If so, why not check out my ScreenFree FM Radio .
Back to the top
 
Posted
Rating:
#91655
Avatar

Actually I've just analysed the code and I can see a problem.

If you're upgrading from v7 and have a plain text master password, this would happen.

The best solution is to first go into /config_editor.php and change the password. You can change it to the same it was, but ocPortal will hash it.

This will stop the v9 upgrader getting confused, as there is a subtle change in how the security connections between different parts of the upgrader work. The upgrade upgrades the upgrader itself and it got confused because the two connecting versions didn't recognise a security pass with this kind of master password.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#91670
Avatar

Fan in action

temp1024 said

Do you have an exact error message/number?

Nope. The upgrader stops at "access denied" and that's it.


temp1024 said

Is your clone site on the same server as the production site?

Yep.

temp1024 said

If its an ocPortal error message then it will be in Admin Zone Audit Error log. Access denied error are shown at the bottom of the page.

You're right, I totally forgot about that log but I just checked it and the last error in it was a failed SQL query from last month.


temp1024 said

If its a server error it should be viewable in cPanel -> Error Log, at least basic info on the error.

I thought of that too since the "Access Denied" error could be related to directory permissions but the error log on my server didn't report any info of the sort nor anything relevant for that matter.



Chris Graham said

Actually I've just analysed the code and I can see a problem.

If you're upgrading from v7 and have a plain text master password, this would happen.

I did see a thread from earlier this month where a user had a similar issue and you posted that but my master PW is already hashed in the info.php

Chris Graham said

The best solution is to first go into /config_editor.php and change the password. You can change it to the same it was, but ocPortal will hash it.

Did that per your suggestion just now but got the same "access denied" error.

Here's something strange though.

I'm using the same master PW for both my production and cloned sites. After I changed the master PW thru the config editor on my production site like you suggested, I noticed that the hashed PW became exactly the same as the master PW in my cloned site.

They were not the same before and I don't understand why would that be since it has always been the same PW for both (and the cloned site is…. well… a clone from the production site). Plus, I always accessed the upgrader just fine with whatever hash it was before but now I can only access it if I'm using the same hashed PW for the cloned site.

Here are some other little things I discovered.

I looked at source code of the page where I get the error to see where is the installation stopping.

It seems that the installation is stopping at data/upgrader2.php and there is a field on the URL called "hashed_password=" and oddly, that hashed PW that's there is not the same hashed master PW that is in the info.php.

Is the upgrader hashing the hashed master PW?

I replaced that odd hash with the master PW hash and then I get the error "Temp file has disappeared ()"

The URL is referencing data_custom/upgrader.tmp and when I look in that folder on cPanel the file is still there with a recent timestamp.

So I've reached a dead end again.  O_o
Back to the top
 
Posted
Rating:
#91699
Avatar

It's rather complex to explain what happens here.

It sounds like you ran the v9 config editor and changed your password, because config_editor.php must have already extracted. This would have generated a v8/v9-style master password which would not be recognised when logging into the v7 upgrader.

v8/v9 will recognise v8/v9-style master passwords, v7 hashed passwords, and plain text passwords.

The v7 upgrader (sources/upgrade.php) connects to the extractor (data/upgrader2.php) via passing in a hashed version of the password used to login. The v7 extractor recognises that as either the hashed password in info.php or a hash of what is in info.php (in the plain text case).

The v8/v9 upgrader is similar except it connects to the extractor via what is literally in info.php. The extractor then compares that to what is literally in info.php.

Because the v7 upgrader is passing a hashed input password even when it is not hashed in the info.php file, the v8/v9 extractor gets confused as it cannot get a match on it. That happens once it flips over to the new extractor once the new extractor extracts (data/upgrader2.php as you identified).

As I say, all very complex.

I'm fairly sure my suggested fix is right, but if in doubt another solution that may work is to replace upgrader2.php once it trips up, with the v7 version of that file. Because the extraction happens in an iframe, you can then refresh that iframe and it should continue. When it's all done, then put the v9 version of upgrader2.php back.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#91734
Avatar

Fan in action

Hi Chris,

Thank you for your suggestions. I have tried both of them and neither worked unfortunately.

The master password was not in plain text in the info.php but I did reset it through the config_editor.php.

I found a backup from version 7.1.6 and extracted the upgrader2.php and followed your instructions but I got the same "Access Denied" error with the same odd behavior of the password being hashed twice in the URL.


I don't know what else to try and I simply don't understand why the upgrade worked fine in the cloned site but not in the production site since both are identical.

Back to the top
 
Posted
Rating:
#91753
Avatar

I found a backup from version 7.1.6 and extracted the upgrader2.php and followed your instructions but I got the same "Access Denied" error with the same odd behavior of the password being hashed twice in the URL.

Did you do that once it trips up – i.e. after you see the error. You need to let it generate the error, then replace the file, then refresh the frame.

If you want me to finish off the upgrade please open up a bug report ticket with the details I'd need.

Regards,
Chris


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#91760
Avatar

Fan in action

Chris Graham said


Did you do that once it trips up – i.e. after you see the error. You need to let it generate the error, then replace the file, then refresh the frame.

Correct. As per your instructions.

Chris Graham said

If you want me to finish off the upgrade please open up a bug report ticket with the details I'd need.

I'm not sure if I did this right. I opened a report under the tracker and put as much detailed info as I could.

Please let me know if there's anything else you need that was not included in the bug report.

Thank you again for your assistance.
Back to the top
 
Posted
Rating:
#91826
Avatar

Hi,

Actually I meant I'll finish the upgrade for you and fix whatever is wrong:
Add a new support ticket - ocPortal.com

I'll need FTP access details though, and it left as the v7 site ready for me to upgrade.

It's quite difficult to work out the flow of this without stepping through it directly myself. Probably something unusual is happening that I'm not aware of.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#91840
Avatar

Fan in action

Hi Chris,

Sorry, I got confused. I have opened up a support ticket.

Please let me know if I'm missing anything.

Thank you again.
Back to the top
 
Posted
Rating:
#91841
Avatar

Thanks for your patience, ticket received, will look at soon.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#91894
Avatar

Fan in action

Hi Chris,

I've completed the remaining steps of the upgrade and all is working fine now.

I'm still not very sure what the issue was but I'm glad it is resolved.

Thank you again for your assistance.
Back to the top
 
There are too many online users to list.
Control functions:

Quick reply   Contract

Your name:
Your message: