Rich Text Editor (tinymce) triggering password protection login

  • Hi,

    When converting a paragraph text to the option of a Rich Text Editor, it’s triggering a password protection login request on the front-end. You can hit cancel and carry on using the form with no access blocked, but would like to stop this appearing at all.

    The paragraph text is using the plugin Gravity Forms. I’ve contacted them and they’ve kindly explained that it’s related to blocking tinymce, but are unable to help further.

    We have password protection turned on (for various reasons) and it’s clearly triggering this, but not enforcing it. I’ve allowed admin-ajax using the following in htaccess

    <Files admin-ajax.php>

            Order allow,deny

            Allow from all

            Satisfy any

</Files>

    and so I optimistically tried for tinymce:

    <Files wp-tinymce.php>

????????????Order allow,deny

????????????Allow from all

????????????Satisfy any

</Files>

    which didn’t cause any errors, but failed to stop the password protection from appearing. All the tinymce files are located in: js/tinymce

    Does anyone please know if there is a way to enter a code similar to admin-ajax to allow tinymce to go through password protection?

Viewing 7 replies - 1 through 7 (of 7 total)

  • When you did it for admin-ajax.php you must have done it in a .htaccess under wp-admin directory, since that’s where that file resides and just specifying the file name indicates a relative path to where that .htaccess file is.

    To do it from WordPress root, you would do it like:

    <Files wp-admin/admin-ajax.php>

    So for tinymce, since it exists under wp-includes/js/tinymce, you would have to specify the path like the following in .htaccess at the root of your WordPress install, to specify the rule correctly:

    <Files wp-includes/js/tinymce>

    Or just do it how you were doing it, by putting that in a .htaccess file under wp-includes/js/tinymce.

    But its better to have all the rules at root and not spread everywhere.

    Thread Starter oriver

    (@oriver)

    @ashfame

    Thank you.

    I tried the following in .htaccess:

    <Files wp-includes/js/tinymce>
Order allow,deny 
Allow from all 
Satisfy any
</Files>

    but still no luck.

    Double checked it’s related to password protection (which it is), and the tinymce is only in: wp-includes/js/tinymce so no idea why it won’t work.

    In terminal, can you try this command and tell me the output:

    curl -I https://yourdomain.com/wp-includes/js/tinymce/tinymce.min.js

    If you get a 200, then its clearly free from authentication and your original issue is something else. But if you get a 401 or 403, then .htaccess change is not clearly correctly done. In that case, what’s the location of the .htaccess file where you made that change?

    Thread Starter oriver

    (@oriver)

    @ashfame

    Thanks again. I’m afraid I don’t have enough experience to run terminal on the site. Just a volunteer, with very basic knowledge. I turned off the password protection and the rich text editor (from tinymce) ran with no problem and didn’t ask for login. But if password protection is on and the rich text editor is activated, it asks for the login . If you hit cancel it still loads the page correctly. But it will put users off from accessing our free services.

    The .htaccess file is in the root directory and is the parent to wp-includes. The password protection is oddly on wp-admin, not touching wp-includes, so no idea why it’s causing the error.

    On developer console, if you have password protection on, activate Rich Text Editor, then hit cancel, the following error appears:

    ReferenceError: Can’t find variable: tinymce
    [S] Global Code – data:text/javascript;base64, CnR…g==:2

    • This reply was modified 1 year, 6 months ago by oriver.

    That command can be run by anyone. I can do that, if I knew the domain or website in question.

    This issue is clearly about tinymce JavaScript file not being loaded because its behind authentication. As soon as you make it available with the right rule, it will start working. That curl command is only to test whether your server change actually made it auth free or not.

    Alternatively, you can also try to open https://yourdomain.com/wp-includes/js/tinymce/tinymce.min.js in a private (Firefox) or incognito window (Chrome) or a different browser where you are not logged in, to test the same.

    Thread Starter oriver

    (@oriver)

    @ashfame

    Thank you, followed the URL address you suggested. Came up with a lot of text, this is just some of it:

    "https:// 4.9.11 (2020-07-13)

!function(V){"use strict";var o=function(){},H=function(n,r){return function(){for(var e=[],t=0;t<arguments.length;t++)e[t]=arguments[t];return n(r.apply(null,e))}},q=function(e){return function(){return e}},$=function(e){return e};function d(r){for(var o=[],e=1;e<arguments.length;e++)o[e-1]=arguments[e];return function(){for(var e=[],t=0;t<arguments.length;t++)e[t]=arguments[t];var n=o.concat(e);return r.apply(null,n)}}var e,t,n,r,i,a,u,s,c,l,f,m,g,p,h,v,y=function(n){return function(){for(var e=[],t=0;t<arguments.length;t++)e[t]=arguments[t];return!n.apply(null,e)}},b=q(!1),C=q(!0),x=function(){return w},w=(e=function(e){return e.isNone()},r={fold:function(e,t){return e()},is:b,isSome:b,isNone:C,getOr:n=function(e){return e},getOrThunk:t=function(e){return e()},getOrDie:function(e){throw new Error(e||"error: getOrDie called on none.")},getOrNull:q(null),getOrUndefined:q(undefined),or:n,orThunk:t,map:x,each:o,bind:x,exists:b,forall:C,filter:x,equals:e,equals_:e,toArray:function(){return[]},"

    Also, in browser console the following appear:

    View post on imgur.com

    View post on imgur.com

    Thanks again for your help

    I think you misunderstood what I said. I said you can try opening tinymce JS file directly on that URL to test whether its auth free or not, while you tinker with .htaccess.

    As soon as that’s actually auth free, your issue would go away.

    You can go to the .htaccess at root where you set the basic auth and do it like the following to set exclusions:

    AuthType Basic
AuthName "Restricted Area"
AuthUserFile /path/to/.htpasswd
Require valid-user

# Exclude specific directories from authentication
SetEnvIf Request_URI "^/directory1/.*$" allow
SetEnvIf Request_URI "^/directory2/.*$" allow

# Allow access without authentication to specific directories
Satisfy any
Order allow,deny
Allow from env=allow
Deny from all

    In this example you are setting /directory1/ and /directory2/ as exclusions to basic auth. So that line would look like this (among all exclusions):

    SetEnvIf Request_URI "^/wp-includes/js/tinymce/.*$" allow
Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Rich Text Editor (tinymce) triggering password protection login’ is closed to new replies.