Fix 403 Forbidden errors under strict Apache directory rules by routing AJAX via plugin.php

[fhaut]

Hello,

We encountered an issue with the Snippets plugin REST API routing on servers with strict directory access configurations (which is a common security hardening recommendation for MantisBT).

The Problem

When the root plugins/ directory has a .htaccess file configured with:

<IfModule mod_authz_core.c>
    Require all denied
</IfModule>

Any AJAX requests pointing to api/rest/index.php/plugins/Snippets/data or api/rest/index.php/plugins/Snippets/help return a 403 Forbidden status in Apache 2.4.

This happens because Apache evaluates security constraints on all path segments of the requested URL (including PATH_INFO), matching it against the physical /plugins/ folder on disk and enforcing the Require all denied rule. On servers running security tools like Fail2ban/Wail2ban, these frequent 403 errors can lead to false-positive IP bans for legitimate users.

Proposed Solution / Workaround
Instead of routing public AJAX requests through the Slim REST API, they can be routed through the standard MantisBT plugin page wrapper (plugin.php).

By creating dedicated plugin pages:

1. pages/data.php (returning the JSON payload of route_data)
2. pages/help.php (returning the JSON payload of route_help)

And updating snippets.js to target:

• plugin.php?page=Snippets/data&bug_id={id}
• plugin.php?page=Snippets/help

The requests resolve directly to /plugin.php at the web root and completely bypass the directory authorization checks for the /plugins/ subdirectory, preventing the 403 errors.

Would you consider introducing this fallback or switching the AJAX endpoints to standard plugin pages?

Thank you!

[dregad]

Any AJAX requests pointing to api/rest/index.php/plugins/Snippets/data or api/rest/index.php/plugins/Snippets/help return a 403 Forbidden status in Apache 2.4.

I have never seen the described behavior before, and I'm actually not able to reproduce it.

The current implementation via REST API endpoints has been working flawlessly for me on several MantisBT instances, including the official tracker at mantisbt.org, which has the standard .htaccess file in /plugins:

$ curl -f https://mantisbt.org/bugs/plugins/
curl: (22) The requested URL returned error: 403

$ curl -f https://mantisbt.org/bugs/api/rest/index.php/plugins/Snippets/data/1
{"selector":"textarea[name='bugnote_text']","label":"Snippets: ","default":"--","snippets":[]}$ 

Apache evaluates security constraints on all path segments of the requested URL (including PATH_INFO), matching it against the physical /plugins/ folder on disk and enforcing the Require all denied rule.

The requested base URL is /api/rest/index.php so I don't see why the .htaccess file in /plugins should come into play here.

There must be something else in your server configuration that is causing this.