Almost Random 403 Errors in Manager. But probably not mod_security

Getting the dreaded 403 errors when using the manager. Tech support at Zen Hosting helped by whitelisting on mod_security. Seemed to help with Saving Chunks, Snippets etc. But today I can’t view many elements without getting this -

expected expression, got ‘<’: 403 Forbidden Access is forbidden to the requested page:

Looking at Network Tab the 403 is on stuff like this (port 443)

BUT the previous line (with a 200) is connectors/index.php?action=element/getnodes&id=n_template_category_1&type=template - in other words only the category number has changed. Very random too. Just now Techies at Zen turned off mod_security entirely and there was no improvement.

Tried the usual Clear Cache, Cookies, core/cache folder etc. Jay, over on slack, thinks Permissions.
Happened with a colleague Editor user trying to upload a media file. So not just Elements and not just my IP or browsers or ISP etc.

Modx2.8.1 cPanel. Apache. Mostly in Firefox, also Chrome,Edge (latter has no plugins for privacy etc).

Hi @parthian,

It sounds like mod_security for the element saves. If they’re static it could also be related to file/folder permissions.
As for the uploading issue most likely permissions but could also be an Apache/htaccess misconfiguration.

Yes, I’m still having trouble saving (occasionally) and mod_security is probably to blame. Some previous Save issues were fixed by whitelisting by Zen Techies. Trouble is I don’t know exactly what they did. They don’t know MODx at all. Most hosts don’t.

The 403’s don’t seem to stop me working. Just a small proportion of the many POST requests fail. And often they don’t seem to matter with the task in hand, editing a chunk, TV, Template etc.

Tried looking at permissions through Cpanel and FileZilla. Compared to a working MODx on another hosts server. They seem to match (0644s and 0755s), although I can’t make sense of Owner/Group which are set to 1047/1051 on Zen but my other host/modx setup has myusername/myusername as Owner/Group.
Presumably 1047 is some sort of userID. Odd that on one the values are different (two different integers) but on another host the values match (string/string).

I may have to just abandon using Zen. But the setup has worked for about 8 years until about a month or two ago.

Yeah it’d be tough keeping up with all the platforms out there. Most hosts tend to really only know Wordpress and sometimes Magento I’ve found
Indeed those would be the Owner/Group ids. It’s been a while since I touched Cpanel but from memory they use chroot jails for users so the ids should be the same as your web server user, thus 755 and 644 would be fine.
If you have SSH access you could run something like:
find . -type d -exec chmod 2755 {} \;
find . -type f -exec chmod 644 {} \;
from your web root to make sure recursively that everything is the correct permission.

Any views on the owner/group (1047/1051) versus (username/username). Researching just now but not having much luck. It’s the only clue. Same on a working modx but different ids on a failing one.

I don’t have ssh access (that I recall). I’ll email the techies and ask them to do it. Ta.

I think the ids would be different for each user account. I’d say it’s unlikely that would be the cause of the issue.
At the end of the day it really could just be mod_security or a firewall blocking those requests.

Smashing. I’ve emailed them to do the 2755 (and I’ve just noticed the 2 is to handle owner/group - thought it was a typo at first!).

mod_security was completely turned off for a while and no change. Just to test the issue. The problem used to be just on Save of a chunk etc. Now anything that refreshes the Element tree causes it. Looking grim.