Delete Custom User Profile - 403 Error, no permissions

Delete Custom User Profile - 403 Error, no permissions

by Chris Free -
Number of replies: 1

Hello, 

I am new to Moodle and logged in with my main/only administration account. I added a field to Accounts > User Profile Fields > Create New Profile Field. 

I used the function to add the field and initially made it mandatory. It was the wrong format, so I want to delete it. There is a delete button next to the field, but clicking the delete button returns this error

Forbidden

You don't have permission to access this resource.

Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

I have checked the Permissions > Site Administrator to see that the account I'm using it the highest level. I have checked the Permissions > Check system permissions and I can see every single item on the list is marked with Yes. 

Can you help me Delete this profile field I created? There is no data stored in any user accounts in this field. There is only one user account and I can tell it's empty. 

Thank you for your help! 

Moodle Version: 4.0.4 (Build: 20220912)
cPanel Version 106.0 (build 4)
Apache Version 2.4.54
PHP Version 7.4.30
MySQL Version 8.0.30
Architecture x86_64
Operating System linux
Installation was done by my webhost, not using Softaculous
I have not installed or even touched the Themes section
I attempted to purge all caches, but that did not solve the issue

Attachment DelProfileField.jpg
Average of ratings: -
In reply to Chris Free

Re: Delete Custom User Profile - 403 Error, no permissions

by Chris Free -
Problem solved. Error was on the server side and not moodle configuration.
https://moodle.org/mod/forum/discuss.php?d=370954

I looked on my webhost and could not find the error log with the message I needed to locate, so I reached out to them directly. They provided me with this answer:

After further investigating the server logs, I can see that this is a mod_security rule causing the issue. Mod_Security is software that we use on the server to prevent attacks, and unfortunately, sometimes, it gets in the way of software operating normally.
Our apologies for the inconvenience.
I've disabled the rule on your domain, so you should be able to proceed with deleting the user.
I'm also going to reach out to our mod_security rules vendor and ensure this rule is still relevant to the latest version of Moodle.

They also located the server error log: 
[Fri Sep 16 14:31:04.513672 2022] [:error] [pid #####] [client ###.###.###.###:#####] [client ###.###.###.####] ModSecurity: Access denied with code 403 (phase 2). String match "get" at REQUEST_METHOD. [msg "IM360 WAF: Multiple CSRF vulnerabilities in Moodle through 2.2.11 2.3.x before 2.3.11 2.4.x before 2.4.8 2.5.x before 2.5.4 and 2.6.x before 2.6.1 (CVE-2014-0010)||MVN:REQUEST_METHOD||MV:get||T:APACHE||"] [severity "CRITICAL"] [tag "other_apps"] [hostname "moodle.mydomain.com"] [uri "/user/profile/index.php"] [unique_id "YyTA6GEcALOa6Pl42cjH0AAAAA4"], referer: https:moodle.mydomain.com

I edited out the identifying information in the error message, but it's materially the same. 

This issue is closed for me. I tried to delete the post, but was not able to, so I posted this in case it helps others. 
Average of ratings: -