Magento – 403 error on WYSIWYG image previews

magento-1.9nginxpermissions

Whenever I open the WYSIWYG editor and try to add an image I get a bunnch of 403 errors in my chrome console and am unable to see the images.

GET https://www.example.com/media/wysiwyg/.thumbs/wysiwyg/homepage/parallax_banner_1.jpg?rand=1447169279 403 (Forbidden)

What's interesting is that I can still see the image in my browser window if I ammend the URL slightly by removing .thumbs/wysiwyg/ from the path:

https://www.example.com/media/wysiwyg/homepage/parallax_banner_3.jpg?rand=1447169279

I thought it could be a permissions issue but I tried setting media/wysiwyg/ to 777 recursively but the issue persists.

I'm running Magento 1.9.2.2 on an AWS EC2 instance, Ubuntu, NGINX.

Best Answer

This was due to the my NGINX configuration:

# Deny all attempts to access hidden files
# such as .htaccess, .htpasswd, etc...
location ~ /\. {
    deny all;
    access_log off;
    log_not_found off;
}

I was able to fix it by removing the above block and replacing it with:

location  /. { ## Disable .htaccess and other hidden files
    return 404;
}

As recommended on the Magento Wiki.

Related Solutions

Magento – 403 error while installing Magento – is the install guide correct

TLDR; version of why Magento gives those instructions: you want things to be writable during installation (700 directories and 600 files), then afterwards assign ownership to the web server running user and restrictive permissions (500 directories, 400 files) that allow read only except for media/ and var/ directories.

This will work on a server that has been set up specifically with security in mind. Web servers can have a lot of variation in their setup especially shared hosts.

Your system sounds like it needs group and/or global read permissions for the web server to read your login user owned files. Check to see who owns the var/cache/ sub folders and the files they contain, you probably will find it's different.

From the question, you didn't get to the next step. They then have the After Installation settings which are even more restrictive.

Running recommendation is:

500 for directories
400 for files
for media/ and var/
700 for directories
600 for files.

The key to understanding all this is the need to know the server user

On a dedicated server, in the instructions they tell you how to find the server user by checking the apache2.conf or httpd.conf file for the User config line.

Typically, this will be something like nobody, www-data

And so with this bit of information on a dedicated server you then assign all directories and files to be owned by the server user

chown -R {web-server-user-name-here} .

On a hosted system, if you're using Apache MPM-ITK or litespeed, the web server will run with your login name as the server user.

Once the ownership is set properly then you change all the directories and files as follows:

find . -type f -exec chmod 400 {} \;
find . -type d -exec chmod 500 {} \; 
find var/ -type f -exec chmod 600 {} \; 
find media/ -type f -exec chmod 600 {} \;
find var/ -type d -exec chmod 700 {} \; 
find media/ -type d -exec chmod 700 {} \;
chmod 700 includes
chmod 600 includes/config.php

Now comes the massive headache part. Any time you upload files you no longer have write permissions except where you have allowed them (var/, media/) so every time you want to do maintenance outside these folders, you must change everything back by:

find . -type d -exec chmod 700 {} \;
find . -type f -exec chmod 600 {} \;

And on the dedicated server, also probably change ownership to the login user name so you will have permission to write stuff.

Also, if you used Magento Connect (on dedicated server, leave ownership as the web server user), anything it installs will be given 777 permissions.

Because you have to remember to undo and redo the process every time you change something, or are running on a system where the web server needs group/global read permissions, the following permissions have probably become the defacto standard among lesser technically skilled website owners:

find . -type f -exec chmod 644 {} \;
find . -type d -exec chmod 755 {} \;
chmod o+w var app/etc
chmod 550 mage
chmod -R o+w media

Magento – File permissions changed after applying patch – 403 Forbidden Error!

While these permissions will get your site to work

find . -type f -exec chmod 644 {} \;
find . -type d -exec chmod 755 {} \;
chmod 550 mage

They are certainly not recommended for you to use such wide open permissions. Before you start changing permissions you should understand what you are changing and why. The above example gives a lot of privileges to all your files and folders.

You should experiment with your permissions and to keep them as restrictive as possible. For example, most of your files can run with 440 (You can test)

Note from Magento suggestions here http://devdocs.magento.com/guides/m1x/install/installer-privileges_after.html

find . -type f -exec chmod 400 {} \;
find . -type d -exec chmod 500 {} \; 
find var/ -type f -exec chmod 600 {} \; 
find media/ -type f -exec chmod 600 {} \;
find var/ -type d -exec chmod 700 {} \; 
find media/ -type d -exec chmod 700 {} \;
chmod 700 includes
chmod 600 includes/config.php

You see that you regular files are not writable at all, only your media and var folders. If you are on a shared server you may have to change the second bit to something other than "0"

If the above example does not work then you can try:

find . -type f -exec chmod 440 {} \;
find . -type d -exec chmod 550 {} \; 
find var/ -type f -exec chmod 640 {} \; 
find media/ -type f -exec chmod 640 {} \;
find var/ -type d -exec chmod 750 {} \; 
find media/ -type d -exec chmod 750 {} \;
chmod 750 includes
chmod 640 includes/config.php

It is important that you don't leave your site wide open to the world!

Best Answer

Related Solutions

Magento – 403 error while installing Magento – is the install guide correct

Magento – File permissions changed after applying patch – 403 Forbidden Error!

Related Topic