You don't have permission to access /index.php/

After a fresh install, I encounter many problems:
For instance changing the facebook url:
You don't have permission to access /index.php/dashboard/system/basics/social/edit_link/1 on this server.
Adding a user:
You don't have permission to access /index.php/dashboard/users/add/submit on this server.
Editing the Pure Cookie notice:
Forbidden You don't have permission to access /ccm/system/dialogs/page/add_block/submit

I am able to upload pictures, but after adding a image block, a click on the Choose Image button a progress bar begins to slide but nothing happens.

Only install Neat theme and Pure Cookie add-ons.
Running on Core 8.4.3, Apache 2.4.25, PHP 7.0.33

View Replies: View Best Answer
ConcreteOwl replied on at Permalink Reply
If your server is running ModSecurity in the backend, try turning it off.
bijkluit replied on at Permalink Reply
I also think this has to do with Apache configuration.

However, doing a grep -i -r "mod_security" * or grep -i -r "security" * in /etc/apache2/ (on Debian 9.6) gives no result.
Also apt shows libapache2-modsecurity as not installed.
apt-cache policy libapache2-modsecurity
  Installed: (none)
  Candidate: 2.9.1-2
  Version table:
     2.9.1-2 500

So I guess the problem is elsewhere.

I deployed another test project using
composer create-project -n concrete5/composer test
and got the same behavior on that site.
ConcreteOwl replied on at Permalink Reply
Try adding this line in your htaccess file
RewriteRule (.*) - [E=Cache-Control:no-cache]

If you are using the pretty urls code you can place this line just before
# -- concrete urls end --
bijkluit replied on at Permalink Reply
Thanks for your quick response!
I already had all caching and compressing disabled in the optimization page.
As per your suggestion I added the RewriteRule (.*) - [E=Cache-Control:no-cache]line.
And also did a clear cache. Closed Firefox, switched to Chrome toe be sure cache is empty.

Sadly all that did not solve the problem.

I am trying to find a pattern is what is working and what is not, but it is not clear to me.
Adding a group is no problem, but adding a user is.
Setting the site name is no problem. The browser url shows: /index.php/dashboard/system/basics/name
But adding or changing a Social link is.the browser url shows: /index.php/dashboard/system/basics/social/edit/1
Setting a favicon works: /index.php/dashboard/system/basics/icons
Adjusting the Rich Text editor fails: /index.php/dashboard/system/basics/editor/submit
Setting the language works: /index.php/dashboard/system/basics/multilingual
Setting the timezone works: /index.php/dashboard/system/basics/timezone
Reset edit mode works: /index.php/dashboard/system/basics/reset_edit_mode

Setting Public registration works: /index.php/dashboard/system/registration/open
Define Login Destination works: /index.php/dashboard/system/registration/postlogin

Adding a user fails: /index.php/dashboard/users/add/submit
Adding a group is ok: /index.php/dashboard/users/groups/group_added

Is it normal to have index.php in all these pages while having pretty url's enabled?
bijkluit replied on at Permalink Best Answer Reply

I was looking in the wrong direction: I suspected my installation of the lamp server or Concrete5.
But the problem is the Sophos UTM web application firewall in front of the web server.
Changed the Firewall profile from basic to none and all of a sudden all Concrete5 problems are solved. So I have to create a dedicated profile for Concrete5 later.