403 error expanding nodes in Pages app

Update, this is happening on all pages in the admin site that use the tree menu: Pages, Web Parts, Widgets, Page Templates, etc

Hi Larry,
If the disk permissions were not changed and are set correctly, what else was changed? Even if it sounds unrelated to you, it could be a good pointer. Are there any other or more detailed errors logged in the Event log?

Nothing is logged in the event log when I get the error on one of the admin pages affected. No events are logged in the windows event viewer or IIS logs either. The only information I have so far is from the dev tools in Chrome. In Chrome I am seeing that it is a 403 error in both the console and network tabs.

Is the 403 error coming from IIS or is it the user friendly Kentico access denied error? Have you checked the permissions for users and roles in Kentico? Something must have been changed. Are there any other errors logged? E.g macro resolver errors? I would try using the security debug to see what permission is missing.

I can't get to the settings - system - debug to enable it because the tree is blocking me from opening the systems section. Any other way to enable security debugging?

It looks like a entire system issue - what was changed recently? Any change, it could be also something in the environment, any Windows updates, IIS changes? What is the current version of Kentico?

Nothing has changed recently that I am aware of on the server or the site setup. We are running Kentico v11.0.

When you take backups of the project and DB and restore them on a different machine, do you have still the same issue?
You can also enabled the security debug by adding this key into the web.config file <add key="CMSDebugSecurity" value="true" />
Were there added any firewalls or proxy servers or SSL configured?
I would also try re-signing macros.

I enabled security debug, cleared the log, went to the pages app, created the error a few times but nothing was logged to the security debug.

The 403 is probably being thrown client side which is why we can't get any logs. I have tried IE and Chrome so it doesn't appear to be browser specific.

I have also reset the macro signatures using the existing hash salt value. I din't want to change the salt unless we absolutely needed to.

Next I am going to see if I can back up the db and restore it on another machine but we only have the 1 dev server so it will be on a laptop not the same server OS.

Would it be worth the effort to upgrade to the latest release of Kentico(11.0.42)?

I am not aware of any bugs fixed in the hotfixes. I would maybe try restoring backups on other machine to see if it is environment related or not.

We found that some WAF settings on our AWS Load Balancer was blocking the call from this button click. Very odd seeing as it didn't affect anything else in the site. We are digging through the setting to see if we can find an individual setting that might be causing the problem so we can enable everything else.

We would like to re-enable this rule so that the site is protected but we need to know what to do to prevent it from breaking the tree menus in the admin screen.

Has Kentico heard of this before? Do you have a resolution? Can you give help us figure this out?

You have not specified what kind of rule was causing the issue - but I would say that you may need to add some exceptions to the WAF rules.

Here is the rule we had to disable to get the menu to work: Body contains a cross-site scripting threat after decoding as url.

Thought I had included it in the previous message sorry.

Thank you! I am not familiar with the rules names - it makes sense now. I would recommend checking the setup and what actually does this rule do in particular and check whether it is possible to add exceptions for this rule.