|
Dallas REIG
|
May 3, 2016 at 10:42 am
I just downloaded the new mobile app for EE4 to test it out and have found 2 issues.
1. Most important – You are able to login to the app with ANY (invalid included) username and password to see the event information. Of course we do not allow anyone to see this information from the site, we shouldn’t allow them to see it from the mobile app especially if they are not even a member of the site.
2. When I login with an actual administrator user, it gives me an error that I do not have access list registrations to the event. Of course since I am an admin, I should have access to do so.
How can we resolve these two issues? Thanks in advance.
Maceo
|
|
Josh
|
May 3, 2016 at 11:28 am
Hi Maceo,
Do you have any activated WP plugins that add Authentication features? The reason I ask is because your site isn’t throwing any errors when a manual HTTP request is sent to your site with bogus BasicAuth info.
|
|
Dallas REIG
|
May 3, 2016 at 11:40 am
Only ones I can think of are Memberpress and WooCommerce. If I try to login to the site directly with an invalid username it throws an error though. Is there a way to find out?
|
|
Josh
|
May 3, 2016 at 11:53 am
I checked WooCommerce and it doesn’t appear to have any authentication features. I don’t have a copy of Memberpress in order to check it. You can find out if Memberpress is having any affect on your site’s authentication by temporarily deactivating it, then try logging into the app with a bogus username/password combo.
|
|
Dallas REIG
|
May 3, 2016 at 12:54 pm
I disabled memberpress and attempted to login through the standard WP login with bogus info and was unable to.
|
|
Dallas REIG
|
May 3, 2016 at 12:55 pm
sorry misunderstood your comment, let me try the app now.
|
|
Dallas REIG
|
May 3, 2016 at 3:03 pm
ok so im confused here. I went to my staging site and disabled every plugin but event espresso and still able to login with anything in the app only. I am unable to login to the site with an invalid username. If I disable event espresso, i get route not found or something like that.
|
|
Josh
|
May 3, 2016 at 3:31 pm
That’s to be expected. On your staging site, what’s the name of the active WordPress theme?
|
|
Dallas REIG
|
May 3, 2016 at 3:39 pm
The active theme is Derrick from web-savvy-marketing.com/store/derrick/. Working on creating another staging to change the theme as well.
|
|
Dallas REIG
|
May 3, 2016 at 3:46 pm
ok created another staging with all plugins deactivated except EE4 and changed theme to Twenty Thirteen. Still able to login with anything.
|
|
Josh
|
May 3, 2016 at 3:52 pm
It might help to know the type of server and any other information you can give about it.
|
|
Dallas REIG
|
May 3, 2016 at 4:29 pm
Does this information help?
*redacted*
|
|
Josh
|
May 4, 2016 at 11:59 am
I can pass that info along to the developers. Do you know if there’s anything in the .htaccess file besides the standard WordPress rewrite rules?
|
|
Dallas REIG
|
May 4, 2016 at 12:22 pm
I see the post is redacted, you did see the link I provided right?
in the htaccess, other than the standard WP stuff is hotlinking protection, redirect to https://www from non https or non www and some file protection memberpress puts in there for standard files like pdf, txt, office docs, or mp3s
|
|
Josh
|
May 4, 2016 at 12:45 pm
Yes, we have the information but that’s not something that should be shared with everyone.
You might try temporarily commenting out some of the .htaccess access rules if you want to troubleshoot this further.
|
|
Dallas REIG
|
May 4, 2016 at 12:53 pm
Ok just commented all that out and still same issue.
|
|
Josh
|
May 4, 2016 at 12:56 pm
Thanks for checking.
At this point, we do not know why some of the sites are having trouble with authenticating with the API to view attendees. There are a few other guesses floating around (server configuration, other plugins, restricted capabilities for the user account.)
We’ll update the documentation and this thread when we know more.
|
|
Dallas REIG
|
May 4, 2016 at 12:58 pm
ok great, so I am not alone? if not that is good to hear cause this has me thinking I have a hole in my site somewhere even though I cant login directly without valid info.
|
|
Dallas REIG
|
May 4, 2016 at 1:00 pm
oh and as far as user capabilities I testing with an actual admin account but get the same results as testing with an invalid account.
|
|
Josh
|
May 4, 2016 at 2:04 pm
It’s not a hole in your site somewhere because viewing events on your site via the API doesn’t require authentication. Viewing attendee data does require authentication.
|
