Authorizer blocking events plug in

  • Resolved rmurr1

    (@rmurr1)


    9 months, 4 weeks ago

    We use authorizer on a private website and also use the Events Calendar Pro to house our college events on that site. We ran into an issue after the most recent Calendar Update where Authorizer seems to be causing a 403 error for the Calendar and it will not allow users to change views on the calendar or move forward in days/months. We ran through plug in conflict tests to figure out that authorizer was causing the issues. Is there a way to White list the events calendar in Authorizer?

    The page I need help with: [log in to see the link]

Viewing 13 replies - 1 through 13 (of 13 total)

  • This problem also affects me. I would be interested in a proposed solution.

    Plugin Author Paul Ryan

    (@figureone)

    Can you confirm the issue also affects the free version of the Events Calendar plugin?

    https://www.ads-software.com/plugins/the-events-calendar/

    If so we can try to reproduce the issue with that and see if we can narrow down the cause.

    Thread Starter rmurr1

    (@rmurr1)

    Yes it does

    Plugin Author Paul Ryan

    (@figureone)

    Ok we confirmed the issue, looks like Authorizer is blocking access to the custom REST API routes that the Events Calendar plugin uses in its AJAX calls, even when a user is logged in. Working on a fix

    Plugin Author Paul Ryan

    (@figureone)

    Ok so the issue is The Events Calendar plugin is not sending the wp_rest nonce along with the REST request, so Authorizer doesn’t know it is an authenticated request and is (appropriately) blocking it as an anonymous request.

    The easiest way to resolve is to have The Events Calendar set the X-WP-Nonce header with the value of wp_create_nonce( 'wp_rest' ) along with every REST API request. See:

    https://developer.www.ads-software.com/rest-api/using-the-rest-api/authentication/

    This lets WordPress know it is an authenticated request (if the user is logged in), and Authorizer will then be able to look up the current user with is_user_logged_in() when it decides whether to block the request:

    https://github.com/uhm-coe/authorizer/blob/master/src/authorizer/class-authorization.php#L722-L723

    As a short-term solution, you can try disabling the REST API in The Events Calendar so it falls back to AJAX calls, which work correctly with Authorizer:

    add_filter( 'tribe_events_views_v2_rest_endpoint_available', '__return_false', PHP_INT_MAX );

    https://docs.theeventscalendar.com/reference/hooks/tribe_events_views_v2_rest_endpoint_available/

    Thank you for the suggestion. the AJAX requests are functioning properly. Another issue I have observed is that the subscription to the calendar is not working because the Authorizer also blocks it. I kindly request your assistance in resolving this problem.

    Plugin Author Paul Ryan

    (@figureone)

    The resolution will be The Events Calendar folks adding the wp_rest nonce to their REST API requests in order for them to be seen as authenticated.

    I might be mistaken, but the calendar subscription uses the webcal protocol, which the user will not initiate (not rest), but rather Outlook, Apple Calendar, Google Calendar, etc. Consequently, I believe that the originally suggested whitelist could be the correct solution. Or am I mistaken? Is there a possibility for this, even at the code level?

    Plugin Author Paul Ryan

    (@figureone)

    The Events Calendar uses the WordPress REST API: https://theeventscalendar.com/blog/news/the-events-calendar-wordpress-rest-api/

    Specifically when clicking UI elements in the calendar (e.g. “List” “Month” “Day” or moving forward/backward in the timeline), a request is sent to a custom REST API endpoint to fetch the html to render the new calendar view. These requests are missing the wp_rest nonce so they are seen as anonymous requests, and any site configured with Authorizer to block anonymous traffic will block these requests. You can see this in your browser inspector when clicking these UI elements, a 403 Forbidden is returned.

    I understand the problem, but actually I’m not even sure if what I want is a good idea. Making events on a protected page publicly accessible (which is necessary for calendar providers to read the events) also raises GDPR issues. So, I need to rethink my original idea. Nevertheless, thank you for the assistance, and the suggestion for the first issue works perfectly! ??

    Plugin Author Paul Ryan

    (@figureone)

    Sounds good, good luck!

    ssheather

    (@ssheather)

    We have been having the same issue with Events Calendar in our intranet site. Thanks for providing a solution. Could you clarify that the solution provided needs to be implemented within Events Calendar and not in Authorizer? And what file within Events Calendar needs to be changed? The Github example provided is in Authorizer. Thanks.

    Plugin Author Paul Ryan

    (@figureone)

    There should be two solutions:

    1. Reach out to the Events Calendar developers to get the X-WP-Nonce header set on their REST API calls: https://developer.www.ads-software.com/rest-api/using-the-rest-api/authentication/
    2. Or use the workaround to disable the REST API in Events Calendar and fall back to AJAX calls. This is a filter that you would add to your theme’s functions.php file, or your own mu-plugin, or wherever else you add custom hooks:

    add_filter( 'tribe_events_views_v2_rest_endpoint_available', '__return_false', PHP_INT_MAX );

    https://docs.theeventscalendar.com/reference/hooks/tribe_events_views_v2_rest_endpoint_available/

Viewing 13 replies - 1 through 13 (of 13 total)
  • You must be logged in to reply to this topic.