Issues with panel install

I’m new to Kirby and have basic html knowledge, but haven’t set up much CMS sites.

Somehow I get the following error:

You are only allowed to run the panel installer on a local machine or by
setting the option panel.install to true in your
/site/config/config.php

I’ve installed Kirby on my NAS (Synology) and this is actually the 2nd time.
A few months ago I gave Kirby a short test drive and managed to install the panel without a problems (or did it?).
I just removed the directory from my NAS to install the latest version… not realizing this might cause problem.

Now I try to figure out how to solve this.
Running from a local machine seems odd to me as I need it to run on my NAS.
And setting the panel.install to true is something I haven’t managed to get working yet.

If any one has a quick answer that’d be great as the help files don’t mention anything about this specific mishap nor did I find anything in the forum.

thanks!

Welcome to the Kirby Forum. :slight_smile:

This is new since Kirby 2.3. This error prevents a security issue that could allow external visitors to give themselves admin access on sites that haven’t been setup properly.

“local machine” means “http://localhost” in this case, so you need the second way of installing.
Temporarily place c::set('panel.install', true); in your site/config/config.php. The error should then go away. Please make sure to remove the option again afterwards.

This is currently missing from the documentation, but we will add it soon.

2 Likes

thanks for the quick reply!

That indeed did the trick!

It would also be good to mention that the existing c::set line should be removed/expended temporarily
just in case another nitwit like me tries to set up his site :wink:

(I did figure that was the case… but initially I just put the like next to the existing c::set line

What do you mean? The license option? That shouldn’t make any problems. What happened when you didn’t remove it?

when I still had this:

c::set('panel.install', true);
c::set('license', 'my code');

in the config.php I got an error on line 17 (first line of this quite)
returned.

unfortunately I didn’t make a screenshot on the exact message…


edit!!!

I just realized that originally in my 2 line code version as quote above I didn’t have the ; behind the first line… guess that could have caused the error… ?

Yes, that’s most likely it. In PHP every command needs to have a semicolon. Great that it works now.

Same issue here, like in the license check, kirky classified all machines except localhost as distant machine, wich is wrong. Mayba add a regexp including all local IP adresses or change the text “on local machine” by “on localhost” because it’s misleading.

Also it could be a security flaw if somebody have to force the setting on a local machine (the opposite of the function purpose) and forget to disable it online.

Thank you for the feedback. Which setup do you use that triggered the error even though it shouldn’t have? Kirby checks if the server has been accessed from 127.0.0.1, which should also work if the hostname itself isn’t “localhost” but e.g. “kirby.dev”.
So if it didn’t work for you, that’s a bug. I tested it on my dev server and didn’t get either the license warning or the install error.

Not more of a security flaw than previously. If you enable the option it means that you thought about creating an account and once an account has been created, leaving the option on isn’t relevant anymore (except when the account is deleted again). So I think it is still an improvement.

I have the message when testing on my NAS, with a local IP adress (192.168.0.x) and is a local machine.
The “flaw” is that defeat the security purpose : if I need to activate the option on local, I can forget to delete it when I go live. The purpose is precisely to don’t change setting if it’s local and it works out of the box.

Ah, alright. Your definition of “local” is a different one than Kirby’s.

Unfortunately this is a feature, not a bug. There are Kirby users (also in large companies) who use Kirby internally in their local network. We can’t disable the protection for such setups because they aren’t development environments but Kirby is actually used like on a public server.
Kirby can’t distinguish between those kinds of installations and your development installation on the NAS.

This is why there is an option to force the Panel to allow creating users anyway.

No. As I wrote above, the setting doesn’t do anything once a user has been created. So if you forget to disable the option again and then publish the site, attackers won’t be able to create accounts since you already created one, which disables the installer.

Oh ok, I misunterstood this.

I get it for local networks, so maybe change the phrasing for “localhost” as a machine in local IP range is totally a “local machine” ?

Thank you for the feedback. I have added it as suggestion on GitHub.

@judbd:

If you want you can follow “Multi-environment setup” at https://getkirby.com/docs/developer-guide/configuration/options:

Create an config file “/site/config/config.192.168.0.33.php” with the line

c::set('panel.install', true);

This runs only on a webserver with the IP = “192.168.0.33”, change “33” to the correct number!

If the webserver (e.g. your live system) listens another IP, the config in this file is ignored, even if it is copied on that server!

Good luck!

P.S.: I use this in an config file “/site/config/config.127.0.0.1.php” on my local dev system for other options!

oh ok great and useful, I will try it. Thank you @HeinerEF

While that works, I think it’s too much for what you get. You only need to set the option to create the first account, after which you can delete it again.

So my recommendation is to keep it simple and add it to the main config temporarily.

1 Like

yeah sure @lukasbestle but useful info for other projects with different configurations

@lukasbestle:
I have said:

For adding the first user I completely agree to your last post! I need only less time for this, then I can change the normal config file! After this we should never need this option!

But at https://getkirby.com/docs/developer-guide/configuration/options I cannot read, that the filename may be build using the IP.
If the admins of the developing system’s DNS and/or the live system’s DNS are not very quick, my trick may be useful. In big companies, this speed is quite common… And there the user cannot change something like /etc/hosts on his/her individual used client by the security policy.

I developed this solution to use the “MS edge” (it’s ugly to call from outside …) on my local Kirby dev system, that uses Win10. Later I read the solution, but that was very later…

We have improved the wording in Kirby 2.3.1.

1 Like

thanks for the followup

Seems like 2.3.1 was just for you. :slight_smile: