Access to ZMI Forbidden

Greeting everyone! My name is Steven and my company, DIASYST, has just installed Plone 5 for use as a documentation portal. It may evolve into our intranet. Our engineering team installed Plone for me on AWS and everything is fine except that a couple of the customizations I want to make require access to the ZMI. However, when I try to access it, it says it is forbidden to me even though I have Site Admin and Manager roles in Plone. I'm guessing this is a permission thing on the server, but where exactly is this set? I want to have some idea what I'm asking for when I open a ticket to get access granted.

Sorry if this is too much of a newbie question. I've looked through the documentation, but I haven't found what I'm looking for. Any help will be greatly appreciated.



Leaving access to the ZMI open to anything other than localhost is a security risk, therefore it has been blocked by default since one of the recent security hotfixes.
The recommended way to access the ZMI is via an SSH tunnel. Opening an SSH tunnel is one extra step, but it's really not a burden once you are used to it. Once your SSH tunnel is open, you can then access the ZMI via http://localhost:XYZ/manage, where XYZ is the port number of one of your Zope instances (if you have multiple), generally 8080 or 8081.

So, ask your engineering team to set you up with an SSH keypair and an account on the server.

Personally, I use the "Secure Shell" Chrome extension, and have a whole bookmarks submenu with one bookmark for each server I want to open an SSH tunnel to, and use a different local port for each, so the browser will remember the ZMI password for each site. That way, it's just a couple of clicks and I'm in.

1 Like

Thanks so much for the reply, Fulvio! It helps a lot.

You don't say how Plone was set up on AWS, but as Fulvio says presumably your web server or proxy was deliberately set up to block access to /manage.* URLs

I'm not sure how it is set up on AWS. Our Engineering team handled it.

On reflection, I don't want to have to ssh into the server. I want the Management Interface button to take me to the ZMI. Can I ask what setting I need to request to be changed to enable that?

If you could show a screen shot of the error it might help, but otherwise it sounds like an Apache or nginx setting.

It's an nginx thing and I assume it's a simple permission setting, but I'd like to be able to ask for it specifically. I'm not very knowledgeable on the server side yet.