App for Cloudflare® Pro 1.9.8

gravnetic · Thursday at 6:32 AM

I was setting up Zero Trust and have found that I am being blocked on some pages, such as the submission of pupdating plugins. When I try to upload the latest plugin I get a blocked page: Sorry, you have been blocked You are unable to access xxxxxxxxx.com

This is the error that I am seeing in admin.
Last App For Cloudflare® error:
Cloudflare: 10001: Unable to authenticate request
GET https://api.cloudflare.com/client/v4/accounts/e2a6417bf70ff6ab4b931efb35b25502/access/groups
{"headers":{"Content-Type":"application\/json","Authorization":"Bearer ******"},"query":[]}

digitalpoint · Thursday at 6:49 AM

If something needs inbound access to the WordPress admin area, you would want to whitelist their IPs (if that’s an option) or maybe whitelist the specific URL you need to allow them to access.

That being said, the error you posted is a Cloudflare API error. Double check that the API token you are using has the correct permissions needed. That error implies the Account.Access: Apps and Policies: Edit permission is missing on the API token being used.

gravnetic · Thursday at 6:58 AM

Got it! I removed the existing token key, saved and then regenerated the token and it worked. I am reconsidering if Zero Trust is too heavy handed for users.

digitalpoint · Thursday at 7:21 AM

gravnetic said:
Got it! I removed the existing token key, saved and then regenerated the token and it worked. I am reconsidering if Zero Trust is too heavy handed for users.

It definitely has potential downsides. Like if you are adding different admins on a regular basis you need to regenerate the rules for the new admin email addresses.

It’s also not uncommon for certain plugins to be doing things within the wp-admin area that isn’t strictly for admin users. Personally, I think that’s terrible practice (it’s a lazy way to utilize admin functions for non-admin users), but it definitely happens (a lot). In those cases you can change the scope of Zero Access to just allow those specific endpoints, but at some point maybe it’s not worth it if that starts becoming a maintenance issue where you need to be re-scoping things unique to your setup all the time.

gravnetic · Thursday at 7:32 AM

Right...

digitalpoint said:
It definitely has potential downsides. Like if you are adding different admins on a regular basis you need to regenerate the rules for the new admin email addresses.

It’s also not uncommon for certain plugins to be doing things within the wp-admin area that isn’t strictly for admin users. Personally, I think that’s terrible practice (it’s a lazy way to utilize admin functions for non-admin users), but it definitely happens (a lot). In those cases you can change the scope of Zero Access to just allow those specific endpoints, but at some point maybe it’s not worth it if that starts becoming a maintenance issue where you need to be re-scoping things unique to your setup all the time.

Right...I am still in discovery of the plugin because it is opening up settings in CF that I don't typically use. There are two main issue one is I have no idea where to set the 'inbound access to the WordPress admin area to whitelist their IPs (if that’s an option) or maybe whitelist the specific URL you need to allow them to access' which I am learning now.

The other issue is that WP roles suck and so one approach that many including me takes is give any editor admin. This is because there is not a great roles editor. The other approach that I know of, but don't currently use is set up a super admin. Any thoughts on this?

Also, I was updating your plugin and the block screen was on the plugin upload confirmation screen...it doesn't matter, but just a FYI.

App for Cloudflare® Pro 1.9.8

Zero Trust / Plugin Update Blocked

gravnetic

New member

Shawn

digitalpoint

Developer

gravnetic

New member

Shawn

digitalpoint

Developer

gravnetic

New member

Similar threads