Error 403 on Staff and Student pages

Installation
1

Hi

I’ve just installed version 16.0.0.1 on to a shared server and I have a problem where many things don’t work.

Here is one of the links that don’t work (view details but also the add button does the same)) from the “Home > Staff > View Staff Profiles”: /index.php?q=%2Fmodules%2FStaff%2Fstaff_view_details.php&gibbonPersonID=0000000001&search=

As you can see, either there is an extra “&search=” on the end or the url or something is causing the url to be shorter than it should be. Removing the extra part makes the link work perfectly.

This is the same for every error I receive.

My site passes all of the server checks apart from the hosted server using MyISAM as it’s default engine (the tables are InnoDB). I have tried asking my host to turn off MOD_SEC but it made no difference.

Can someone shed some light on this for me?

Thanks in advance.

2

Can anyone help with this?

3

Hi Mike, welcome to the Gibbon community :smiley:

At first glance the “&search=” shouldn’t cause any issues with the URL, it would just be passing an empty string along to the next page. However, the overall issue may indeed be related to the URLs. Does it also happen with a non-empty search string, eg: “&search=foo”? Is it just links with a “&search=” causing problems, or other links as well? The post title mentions a 403 error, are you seeing any other PHP error output as well? Are you able to check your PHP logs to see if there’s any errors related to those pages.

One possible culprit could be URL encoding, which is sometimes related to server settings or htaccess redirects. However the best place to start narrowing things down will be in the error output, if there is any.

Thanks!

4

Hi Sandra,

Thanks for responding.

The only error I get is this:

PHP Notice: Undefined index: gibbonPersonID in /modules/Staff/staff_view_details.php on line 36

Line 36 is this: $gibbonPersonID = $_GET[‘gibbonPersonID’];

The .htaccess file in the root domain looks like this:

#AddHandler phpini-cgi .php
#Action phpini-cgi /cgi-bin/php5-custom-ini.cgi

RewriteEngine On

SSL REDIRECT START

RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

SSL REDIRECT END

#RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php [L]
Header set Access-Control-Allow-Origin “*”
SecFilterEngine Off
SecFilterScanPOST Off

The .htaccess file in the subfolder for gibbon looks like this:

<FilesMatch “\.(htaccess|htpasswd|ini|log|sh|inc|bak|sql)$”>
Order Allow,Deny
Deny from all


SecFilterEngine Off
SecFilterScanPOST Off

php_value max_input_vars 5000

Thanks in advance:

5

Sorry, I forgot to mention, the search function works perfectly, in orther words when you give it a parameter such as “smith”. The problem only occurs with the actions button for each person which is the URL I quoted in the post post.

I’d love to move forward with this but I can’t devote time to it unless I can get it to work properly on my server.

6

Hi Mike,

I see an SSL redirect in your htaccess file, so this may be the culprit. Adding NE may help prevent it from double-encoding, so based on your snippet above the SSL part would be

`# SSL REDIRECT START
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,NE,R=301]
# SSL REDIRECT END
`
```


Otherwise check out this thread where we found and fixed a similar URL encoding issue, and perhaps following these steps may help you as well: https://ask.gibbonedu.org/discussion/comment/4127#Comment_4127
7

It seems that neither solution works for me which is a shame.

If there are any other ideas I’ll be pleased to hear them.

Thanks for your time.