InvoicePlane 1.5.3 Saving Settings Error

Hi,

I am new to InvoicePlane. I have downloaded v1.5.3 from the website and followed the installation instructions. The setup wizzard was working great and has done a great job setting everithing up.

Now I have logged in and tried to change some settings - which failed.

I opened the “Settings” -> “System Settings” and tried to change one value (I even tried to change nothing) and clicked “Save”. I got the following error message:

“An Error Was Encountered
The action you have requested is not allowed.”

HTTP return code: 403 Forbidden

I am running Invoice Plain on a server with …

• Apache/2.2.15 (Unix)
• PHP 5.6.30

I have enabled the following option in the ipconfig.php file:

• ENABLE_DEBUG=true

The log file under “application/logs/” shows a few lines when loading the system settings page but only those two lines when trying to save them.

DEBUG - 2017-07-05 10:49:38 --> UTF-8 Support Enabled
DEBUG - 2017-07-05 10:49:38 --> Global POST, GET and COOKIE data sanitized

Any Idea how to fix that?

I have just tried to create an Invoice, … Similar problem.

This time the Error message reads like this:

" It seems that the application stuck because of an error."

DEBUG - 2017-07-05 11:08:37 --> UTF-8 Support Enabled
DEBUG - 2017-07-05 11:08:37 --> Global POST, GET and COOKIE data sanitized
DEBUG - 2017-07-05 11:09:00 --> UTF-8 Support Enabled
DEBUG - 2017-07-05 11:09:00 --> Global POST, GET and COOKIE data sanitized
DEBUG - 2017-07-05 11:09:00 --> Ajax MX_Controller Initialized
DEBUG - 2017-07-05 11:09:00 --> Config file loaded: /path/to/invoiceplain/application/config/invoice_plane.php
DEBUG - 2017-07-05 11:09:00 --> Encryption: Auto-configured driver 'openssl'.
DEBUG - 2017-07-05 11:09:00 --> File loaded: /path/to/invoiceplain/application/modules/settings/models/Mdl_settings.php
DEBUG - 2017-07-05 11:09:00 --> File loaded: /path/to/invoiceplain/application/controllers/../modules/layout/controllers/Layout.php
DEBUG - 2017-07-05 11:09:00 --> Layout MX_Controller Initialized
DEBUG - 2017-07-05 11:09:00 --> File loaded: /path/to/invoiceplain/application/modules/invoice_groups/models/Mdl_invoice_groups.php
DEBUG - 2017-07-05 11:09:00 --> File loaded: /path/to/invoiceplain/application/modules/tax_rates/models/Mdl_tax_rates.php
DEBUG - 2017-07-05 11:09:00 --> File loaded: /path/to/invoiceplain/application/modules/clients/models/Mdl_clients.php
DEBUG - 2017-07-05 11:09:00 --> File loaded: /path/to/invoiceplain/application/modules/clients/views/script_select2_client_id.js
DEBUG - 2017-07-05 11:09:00 --> File loaded: /path/to/invoiceplain/application/modules/invoices/views/modal_create_invoice.php
DEBUG - 2017-07-05 11:09:00 --> Total execution time: 0.0541

DEBUG - 2017-07-05 11:09:09 --> UTF-8 Support Enabled
DEBUG - 2017-07-05 11:09:09 --> Global POST, GET and COOKIE data sanitized
DEBUG - 2017-07-05 11:09:09 --> Ajax MX_Controller Initialized
DEBUG - 2017-07-05 11:09:09 --> Config file loaded: /path/to/invoiceplain/application/config/invoice_plane.php
DEBUG - 2017-07-05 11:09:09 --> Encryption: Auto-configured driver 'openssl'.
DEBUG - 2017-07-05 11:09:09 --> File loaded: /path/to/invoiceplain/application/modules/settings/models/Mdl_settings.php
DEBUG - 2017-07-05 11:09:09 --> File loaded: /path/to/invoiceplain/application/controllers/../modules/layout/controllers/Layout.php
DEBUG - 2017-07-05 11:09:09 --> Layout MX_Controller Initialized
DEBUG - 2017-07-05 11:09:09 --> File loaded: /path/to/invoiceplain/application/modules/clients/models/Mdl_clients.php
DEBUG - 2017-07-05 11:09:09 --> Total execution time: 0.0510


DEBUG - 2017-07-05 11:09:17 --> UTF-8 Support Enabled
DEBUG - 2017-07-05 11:09:17 --> Global POST, GET and COOKIE data sanitized

Sadly there ere no errors logged within InvoicePlane.
Do you have access to your web server logs?

It seems quite odd that you get a 403 error within the settings as the error code is related to permissions problems.

Do you have any browser plugins that block scripts or similar? Ad blockers?

Hi, Yes, I have access to the webserver logs. But they dont tell any more details - sadly.

I have done the same procedure again. this time tailing all apache logs and the application logs.

==> /path/to/invoiceplain/application/logs/log-2017-07-05.php <==
DEBUG - 2017-07-05 12:09:30 --> UTF-8 Support Enabled
DEBUG - 2017-07-05 12:09:30 --> Global POST, GET and COOKIE data sanitized
DEBUG - 2017-07-05 12:09:30 --> Settings MX_Controller Initialized
DEBUG - 2017-07-05 12:09:30 --> Config file loaded: /path/to/invoiceplain/application/config/invoice_plane.php
DEBUG - 2017-07-05 12:09:30 --> Encryption: Auto-configured driver 'openssl'.
DEBUG - 2017-07-05 12:09:30 --> File loaded: /path/to/invoiceplain/application/modules/settings/models/Mdl_settings.php
DEBUG - 2017-07-05 12:09:30 --> File loaded: /path/to/invoiceplain/application/controllers/../modules/layout/controllers/Layout.php
DEBUG - 2017-07-05 12:09:30 --> Layout MX_Controller Initialized
DEBUG - 2017-07-05 12:09:30 --> Config file loaded: /path/to/invoiceplain/application/config/payment_gateways.php
DEBUG - 2017-07-05 12:09:30 --> File loaded: /path/to/invoiceplain/application/modules/invoice_groups/models/Mdl_invoice_groups.php
DEBUG - 2017-07-05 12:09:30 --> File loaded: /path/to/invoiceplain/application/modules/tax_rates/models/Mdl_tax_rates.php
DEBUG - 2017-07-05 12:09:30 --> File loaded: /path/to/invoiceplain/application/modules/email_templates/models/Mdl_email_templates.php
DEBUG - 2017-07-05 12:09:30 --> File loaded: /path/to/invoiceplain/application/modules/settings/models/Mdl_versions.php
DEBUG - 2017-07-05 12:09:30 --> File loaded: /path/to/invoiceplain/application/modules/payment_methods/models/Mdl_payment_methods.php
DEBUG - 2017-07-05 12:09:30 --> File loaded: /path/to/invoiceplain/application/modules/invoices/models/Mdl_templates.php
DEBUG - 2017-07-05 12:09:30 --> File loaded: /path/to/invoiceplain/application/modules/layout/views/header_buttons.php
DEBUG - 2017-07-05 12:09:30 --> File loaded: /path/to/invoiceplain/application/modules/layout/views/alerts.php
DEBUG - 2017-07-05 12:09:30 --> File loaded: /path/to/invoiceplain/application/modules/settings/views/partial_settings_general.php
DEBUG - 2017-07-05 12:09:30 --> File loaded: /path/to/invoiceplain/application/modules/settings/views/partial_settings_invoices.php
DEBUG - 2017-07-05 12:09:30 --> File loaded: /path/to/invoiceplain/application/modules/settings/views/partial_settings_quotes.php
DEBUG - 2017-07-05 12:09:30 --> File loaded: /path/to/invoiceplain/application/modules/settings/views/partial_settings_taxes.php
DEBUG - 2017-07-05 12:09:30 --> File loaded: /path/to/invoiceplain/application/modules/settings/views/partial_settings_email.php
DEBUG - 2017-07-05 12:09:30 --> File loaded: /path/to/invoiceplain/application/modules/settings/views/partial_settings_online_payment.php
DEBUG - 2017-07-05 12:09:30 --> File loaded: /path/to/invoiceplain/application/modules/settings/views/partial_settings_projects_tasks.php
DEBUG - 2017-07-05 12:09:30 --> File loaded: /path/to/invoiceplain/application/modules/settings/views/partial_settings_updates.php
DEBUG - 2017-07-05 12:09:30 --> File loaded: /path/to/invoiceplain/application/modules/settings/views/index.php
DEBUG - 2017-07-05 12:09:30 --> File loaded: /path/to/invoiceplain/application/modules/layout/views/includes/head.php
DEBUG - 2017-07-05 12:09:30 --> File loaded: /path/to/invoiceplain/application/modules/layout/views/includes/navbar.php
DEBUG - 2017-07-05 12:09:30 --> File loaded: /path/to/invoiceplain/application/modules/layout/views/includes/fullpage-loader.php
DEBUG - 2017-07-05 12:09:30 --> File loaded: /path/to/invoiceplain/application/modules/layout/views/layout.php
DEBUG - 2017-07-05 12:09:30 --> Total execution time: 0.0862

==> /path/to/virtualhost_access_log <==
80.110.120.195 - gsteinbeis [05/Jul/2017:12:09:30 +0000] "GET /invoice/settings HTTP/1.1" 200 550999 "https://host.example.com/invoice/settings" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0"

==> /path/to/invoiceplain/application/logs/log-2017-07-05.php <==
DEBUG - 2017-07-05 12:09:40 --> UTF-8 Support Enabled
DEBUG - 2017-07-05 12:09:40 --> Global POST, GET and COOKIE data sanitized

==> /path/to/virtualhost_access_log <==
80.110.120.195 - gsteinbeis [05/Jul/2017:12:09:40 +0000] "POST /invoice/settings HTTP/1.1" 403 843 "https://host.example.com/invoice/settings" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0"

No more details then before. Is there any other debiugging mode I can enable as well?

Oh, and I have tried it already with Firefox and Safari (no ad-blocker).

Additional details:

• OS: CentOS 6
• SELinux: Disabled
• PHP 5.6.30 (via “Remi’s PHP 5.6 RPM repository for Enterprise Linux 6”)

I have rechecked the Prerequisits: All modules are installed and listed in the phpinfo() listing.

Do you have to login again after trying to safe the settings?

This is the only clue I have: that somehow your authentication or session data is deleted so you are not allowed to save anything. Because authentication is the only part of the application that actually throws a 403 error.

No, I can just hit the browser “Back” button and continue. I do not get logged out.

Is there any other logging I can enable in addition to the one setting explained above? Maybe I can find a hint when there is more logging??

I don’t think so. I mean this is a very weird behaviour and I’m not able to explain how this may happen.

There must be a way to get more insight into what is going on. I see the whole invoiceplane contails codeigniter and symfony beside others. Dont have those big frameworks some kind of logging which can be enabled???

Yeah, the logging is exactly what is written to the log file.

Out of curiosity, I installed version 1.4.10 and this seems to work nicely. I can change and save the changes in the settings.

I can create Invoice, Templates, … all works. Must be related to the changes in 1.5.x.

Yeah but which changes…?

Do you have access to the apache error log for that vhost?
Because I only see the debug log + access log, the error log of apache could give you more information

I have access to it. But there was not even a single line of error. Nothing, not even a warning or anything.

Just a crazy idea, …

I have installed it in a subdirectory which should not be a problem. But the whole webspace is password protected (http auth)

Requests from my browser are no problem as the browser is authenticated. What about invoicePlane internally? Is it trying to perform requests to itself? That could explain 403 errors? … just a wild guess.

If so, how can we fix it?

Can you maybe try to disable the http auth for a moment and test again.

If that’s the issue, then maybe we can reproduce it in a test environment and see what is causing the 403

I will try to tho this …

Just tried it. No difference.

I get the same error message and no log message at all. So I was digging into it. Reverted all my settings to plain (insecure) defaults. And it started working.

With it working I tried enabling one setting after the other and was able to identify the root cause of the problem. It was indeed a setting I made. But this setting should have not caused this behaviour.

This is the problem causing htaccess entry:

# Secure: All cookies must be set with the Secure flag, indicating that they should only be sent over HTTPS
Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

It is suggested to secure all cookies that way. Suggestion is taken from the HTTP Observatory by Mozilla (https://observatory.mozilla.org/) which links to this wiki entry: https://wiki.mozilla.org/Security/Guidelines/Web_Security#Cookies

Interesting is that the version 1.4 Works with this setting perfectly while the version 1.5 is refusing to work with it.

That is quite interesting. Will take a look at the IP settings and try to figure out which one causes the problems with the secure cookies. But indeed this should not happen. Thanks for your time to debug this!

You are welcome.

I am not exactly new to PHP. Just did not touch any code for a few years. But I am very surprised to see sooo little logging in debug mode. Maybe while fixing it you could add one or two lines telling why the error was returned to the browser? This might help in the future to debug issues in that area.

Another guess, maybe the cookie is missing besause some internally generated link (like the save requests) have hardcoded to http:// ? I will try to verify this … but that might explain the behaviour.