I am writing an app using the Phalcon framework for PHP and I have to implement the feature to allow users to write messages on each others walls. So with JQuery I would write:
function postMessage() {
var message = $("#messageBox").val().trim().replace(/\n/g, '<br/>');
if(message) {
$.post("// request handler", {msg: message, wall: {{ user.id }},
writer: {{ session.get('user')['id'] }})
.done(function() {
$("#messageBox").val('');
alert( "Message posted" );
})
.fail(function() {
alert( "Error posting message, please try again" );
});
}
}
And this script would be located in the page domain.com/user/foobar
My question is what (or rather where) should my request handler be. I've thought about it a bit and asked my friend and came up with three options:
Post to the same url the above script is in (Ex.
domain.com/user/foobar)
Post to another url which routes to
another action in the same controller as option 1 (Ex.
domain.com/postmessage. Both option 1 and 2 are in the same
controller but they are different actions)
Post to an API url (Ex. api.domain.com)
Some pros I thought of were:
Both option 1 and 2 can access the session variable, so I can check
if the user is logged in or not. With option 3, I cannot but I can
(unrealistically) hope no one tries to abuse the system and post
messages with Fiddler or something by not being logged in.
Option 2 is a bit cleaner than option 1
Option 2 and 3 both provide central request handlers so if I wanted
to implement the same message on wall writing system I would only
have to copy the Jquery code and put it in the new view or page.
With option 1 I have to copy the code from the user controller and
repaste it into the controllers for each of the new pages.
Some cons I thought of were:
Option 2 means I have to add more routes to my router. This makes
routing more complicated. (And maybe slower???)
( Ex.
// Option 1
$router->add('/user/{id}',
array(
'controller' => 'user',
'action' => 'show'
)
);
// Option 2
$router->add('/user/post/{id}',
array(
'controller' => 'user',
'action' => 'writeMessage'
)
);
)
Which way is recommended and used?
I would keep defining routes as needed. Or define a single route and pass an extra parameter in the post request that hooks into the remote procedure.
Be cautious where the users are concerned and close any loopholes. Think about adding a nonce.
Thanks,
C
Never ever assume that all your users will be kind and smart, it's how people break a system. Test everything.
Usually : 1 route = 1 action
If you haven't any route for posting message, adding one is the way to go.
A route is like a simple "if" test, it'll be done in a few nanoseconds.
Related
I have adopted a CakePhp 2 project. We get to the project from another project, linking to the CakePhp project with a "token" and a conference ID as a parameter in the URL. Using that token, we authorize the user, and using the conference ID get the information from the database. The session value "auth" is set to true.
We have it running on 2 "platforms" locally on my system using a vagrant machine, and on a production server. Locally the session value dies really quick and at random times. On the production server not as often, but the issues we have where Ajax calls don't seem to do what are expected, we believe are being caused by a similar issue. We have many different projects, all Laravel, with zero issues where the session values clear. This issue is strictly with the CakePhp project.
All the authentication magic happens in the beforeFilter method. The code:
public function beforeFilter() {
$session = new CakeSession();
/**
*
* We will check if the current user is authorized here!
*
*/
// If the visitor is coming for the first time, there should be a parameter in
// the URL that is the auth code to check against the database.
if ( ( isset($_GET['conf']) && is_numeric($_GET['conf']) ) && isset($_GET['token']) ) {
$getConference = ClassRegistry::init('Conference')->find('first', ["conditions" => ["conference_id"=>$_GET['conf'] ]]);
$checkToken = ClassRegistry::init('User')->find('first', ["conditions" => ["remember_token"=>$_GET['token'] ]]);
if ($getConference && $checkToken) {
$checkToken['User']['remember_token'] = $this->generateToken();
if ( ClassRegistry::init('User')->save( $checkToken ) ) {
$session->write('auth', true);
$session->write('conferenceId', $_GET['conf']);
$this->redirect('/');
}
}
else {
$session->write('auth', false);
$session->write('conferenceId', null);
}
}
if (! $session->read('auth') || $session->read('conferenceId') == null ) {
echo "No permission!";
exit;
}
}
At the top of the controller:
App::uses('CakeSession', 'Model/Datasource');
When the URL parameters are present, it traps them, does the work, and redirects to the home route without the parameters.
$this->generateToken();
Creates a new token, and overwrites the old one in the database.
There are 2 main controllers. The controller with this code is the main projects controller. The only time it is really hit is the first time you go to the project, and we hit the index method. From there everything else is AJAX calls to the other controller. There is one link, a "home" type link that will hit that index method.
Sometimes these Ajax calls stop working, and clicking that home link will output "No Permission" instead of the expected html in the container the Ajax call outputs too.
Steps to troubleshoot led me to putting this beforeFilter method on the top of the second controller. Now, randomly I'll get no permission. Sometimes, when I'm on the main project that links to this CakePhp project, I click that link, I get no permission right off the bat.
I found this page: cakephp takes me to login page on multiple request and have tried to set the session details like this:
Configure::write('Session', array(
'defaults' => 'php',
'timeout' => '300' // <- added this element
));
And I have tried:
Configure::write('Session.timeout', '300');
Additionally, I have tried cookieTimeout in both of those cases.
I've also tried
Configure::write('Security.level', 'low');
and included
Configure::write('Session.autoRegenerate', true);
In any order, any of these cause the session to bomb out immediately. I get "No permission on page load, and never get anywhere.
The code for this project is honestly crap. The developer who wrote it had mistakes and errors all over the place. On top of that, we are a Laravel shop. We are just trying to keep the project limping along until sometime in the future when we can nuke it from orbit. So we just need to get this working. Any thoughts on what could be causing this? Any other details I am forgetting to include that would help troubleshoot this issue?
Thanks
Reading & writing session data
You can read values from the session using Set::classicExtract() compatible syntax:
CakeSession::read('Config.language');
$key should be the dot separated path you wish to write $value to:
CakeSession::write('Config.language', 'eng');
When you need to delete data from the session, you can use delete:
CakeSession::delete('Config.language');
You should also see the documentation on Sessions and SessionHelper for how to access Session data in the controller and view.
I'm building a feature into a Laravel 5 app that will allow you to set the content of a status banner that will display across the top of the page. We will be using this banner both to display page-specific things (status messages, etc) and site-wide announcements (every user sees the same thing, banner stays the same for awhile).
Right now, I've implemented this by using Laravel sessions to allow banners to be added by calling a helper method from any controller or middleware:
// Call set_banner from in a controller or middleware (for persistent banners)
function set_banner($banner_text, $banner_class, $banner_persistant=false, $replace=false)
{
$banners = session()->get('banners', []);
// Create new banner
$banner = [
'text' => $banner_text,
'type' => $banner_class,
'persistent' => $banner_persistant
];
// Only put banner in array if it's not already there
if( !in_array($banner, $banners) ) {
// Either override existing banners, or add to queue
if( !$replace ) session()->push('banners', $banner);
else session()->put('banners', [$banner]);
}
}
// Called by default in the master.blade.php template
function get_banners()
{
$banners = session()->pull('banners', Array());
foreach( $banners as $banner ) {
// Print out each banner
print '<div class="col-md-12"><div class="text-center alert alert-block alert-'.$banner['type'].'">';
print $banner['text'];
print '</div></div>';
// Push back into the session if banner is marked as persistent
if ( $banner['persistent'] ) session()->push( 'banners', $banner );
}
}
Banners are created in controllers or middleware like this:
set_banner("<b>Note:</b> This is a sample persistant-scope banner set in a controller", "success", true);
Is there a better way to accomplish storing both page-level and site-wide banners? My concerns is that hitting the session on every pageload may be inefficient, especially for banners that won't be changing for long periods of time. Will this approach mess with Laravel's cache, etc?
As you said the banners do not change that often. Hence for me i would implement it using Cache. This improves performance since we need only one use to have the banners cached. And for the rest its retrieved faster from the Cache rather Session.
Do you want to have to change code to change the banner of a given page?
I would suggest instead creating a "pages" package, where each page route name is entered into a database.
From there, from your page service provider you get Page::getModel()->banner_text or something similar.
The method would look for a db result matching the current route name with a result within db.
when a controller method is triggered you simply call
Page::getBannerText()
That method will pull the current route name, pull the page result related to that page if it exists or create it if it does not exist (easy way to get everything). You cache the db query result for X hours, days or whatever so whenever someone else makes a call, you don't even need to deal with any storage on client side.
This allows you to modify the value from a db fascet. Its the more "proper" way to do it.
I have seen in some MVC applications the use of Token keys to prevent CSRF. A typical example of where it may be used is on the delete method for a post.
And I've seen implementations using both GET and POST methods.
An example GET request link with a token:
https://domain.com/posts/G7j/delete/EOwFwC4TIIydMVUHMXZZdkbUR0cluRSkFzecQy3m5pMTYVXRkcFIBWUZYLNUNSNgQKdnpTWu
And an example of a POST request with a token:
<form action="/posts/G7j/delete" method="post">
<input type="hidden" name="token" value="EOwFwC4TIIydMVUHMXZZdkbUR0cluRSkFzecQy3m5pMTYVXRkcFIBWUZYLNUNSNgQKdnpTWu" />
<button type="submit">Delete</button>
</form>
I've been looking into implementing this into my CakePHP applications based on the documents: http://book.cakephp.org/2.0/en/core-libraries/components/security-component.html
And according to the documents, adding the Security component auto adds the form key to all forms that use the Form Helper.
e.g.
public $components = array(
'Security' => array(
'csrfExpires' => '+1 hour'
)
);
However I have some questions:
1.) Why use POST over GET for some actions such as delete? As the request in the controller will check if the user is authenticated, has permission, and that it has the correct form key.
2.) How can I use the security component with a GET request in CakePHP? Presume I would also need to handle the routing as well.
Firstly CakePHP uses post links to delete as an added level of security because lets say for example your authentication system is not 100% secure and users can access a delete method by manually typing in a URL - if I go in and type /users/delete/10 , I can actually delete users on your server which is risky as you can imagine.
Secondarily GET requests can be cached or bookmarked so users who bookmark these links could end up navigating to broken links which is never a good thing ,also sensitive data will be visible in the URL so for example if someone bookmarks a login page with the GET variables intact - this could compromise there security.
Finally you can easily generate your own tokens using the following code :
$string = Security::hash('string', 'sha1 or md5', true);
print $this->Html->link("Link to somewhere",array("controller"=>"users","action"=>"delete",$string));
The above will use the salt key setup in your core config file but you can also replace true with a custom salt.
For the first question:
The reason probably lies in the definition of HTTP methods. GET is defined as one of the safe methods, which means that it can not be used for changing the state of the server but only for retrieving information. You can read more on the HTTP methods on this link. Since HTML forms are not capable of sending HTTP DELETE request the 'workaround' is to use some of the available methods and if you rule out the GET as a 'safe method' it leaves POST. You can of course use GET to delete stuff, many do, but GET request is by convention expected not to change anything.
edit: If you are interested to read more about HTTP methods and browser/HTML support check out this SO question
johhniedoe pointed me to Croogo 1.3 for an example of how they are have done something similar to what I asked in my question. Because 1.3 was targeted to CakePHP prior to 2.x, the code was a little out of date, so I've amended it as follows:
First create the link (in this case a delete link) with the CSRF Token used by the Security Component passed as a parameter called token.
<?php echo $this->Html->link('Delete', array('action'=>'delete','token'=>$this->params['_Token']['key'])); ?>
Next I've created a wildcard Route Connection to handle the token (this isn't essential usually, but because we're not using the NAMED Token and I wanted to keep the URL cleaner):
Router::connect('/:controller/:action/:token',
array('controller' => 'action'),
array(
'pass' => array('token')
)
);
And then finally handle it in your method like so:
public function delete(){
if (!isset($this->params['token']) || ($this->params['token'] != $this->params['_Token']['key'])) {
$this->Security->blackHoleCallback = '__blackhole';
} else {
// do delete
}
}
This basically says if the token doesn't match then use the blackhole callback function __blackhole, which I define in my AppController to show an error.
One last thing to be aware of though is that you must allow the token to be used more than once and last for example an hour, this is because otherwise the token will be reset and no longer match after the GET request is sent.
public $components = array(
'Security' => array(
'csrfExpires' => '+1 hour',
'csrfUseOnce' => false
)
);
I would like to create a button that can be used to populate a table in my db with a single click.
I am just not sure what I need to do here to make this happen. Can I assign a method to be executed by a button? Or just have values picked up in my controller? Below is something like what I want to execute but through a button.
public function addInterest($interest)
{
$interest->UserId=Yii::app()->user->id;
$interest->ItemId=$this->ItemId;
return $interest->save();
}
**Additional details in response to Jaison Justus
With this implementation I am using controller and view from Model A (ItemId) where the button is to be displayed. Then there is Model B (UserId). Taking the info from Model A (ItemId) and Model B (UserId) I want to populate Model C ($interest) with that ItemId and UserId upon clicking a button. Looks like CJuiButton might provide a means to build it from being as then I can disable/hide the button after selected once. I am just not familiar with using buttons other than on a form where user input in collected, as links, or to provide pop up messages.
The code above currently sits in Model A model. With the code below in Model A controller everything works to populate Model C if I use a form and collect input. Since I do not require any input other then selecting the button from the user the form has nothing to put into it and therefore I know I can not use if(isset($_POST['Interest'])) as I have below.
public function actionView($id) {
$items=$this->loadModel($id);
$interest=$this->newInterest($items);
$this->render('view', array(
'model' => $items,
'interest' => $interest,
));
}
protected function newInterest($items)
{
$interest=new Interest;
if(isset($_POST['Interest']))
{
$interest->attributes=$_POST['interest'];
if($items->addInterest($interest))
$this->refresh();
}
return $interest;
}
In response to VarioN
Here is an attempt at using ajax. However this does not work and gives an Error 500 when ran. Is my controller action appropriate for what I am trying to do here?
Controller
public function actionAddInterest() {
$connection = yii::app()->db;
$sql1 = "INSERT INTO interest (UserId, ItemId)
VALUES(".Yii::app()->user->id.",".$this->ItemId.")";
$connection->createCommand($sql1)->execute();
}
View
<?php
echo CHtml::ajaxLink(
'Add Interest',
array('/item/addInterest'),
array('update'=>'#req_res')
);
?>
Looking at your question I see that you don't understand how MVC in Yii works.
Look at this 15 minutes screencast (Yii Tour - 3rd Stop - CRUD County) and after you will be able to create such button in any way you need (try use Gii and than customize it in your way - it's the easiest way).
Updated:
Seems that you need AJAX request. You can add CHtml::ajaxButton() in your view.
It will work this way:
User push the button, button do request (with JavaScript) to your
site without reloading the page and invisible for user.
Your controller action will serve this request: it can make some things (for ex., save data to db) and output data that your JavaScript possibly will display to user.
Than your JavaScript get answer and can make some changes on the page
(for example, hide button or show text got from request).
You can look at simple example with ajax here
If you needn't to submit form info with your button you can user ajaxLink. Example for it is here
There are a lot of examples with ajax and yii in the internet and at yii forum. Try to find them it may be very helpful.
Ask questions if you would have any.
Second update:
First, try to do your sql query simplier:
"INSERT INTO interest (UserId, ItemId) VALUES (1, 2)"
Than enable logging of mysql queries to log: at config/main.php add "trace" to "levels"
'components'=>array(
'log'=>array(
'class'=>'CLogRouter',
'routes'=>array(
array(
'class'=>'CFileLogRoute',
'levels'=>'error, warning, trace',
),
Now you can try to press an AJAX link and look at the protected/runtime/log.txt and determine the problem.
Additional info to AJAX requests
All that outputs your ajax scripts can be viewed by browser's features:
At Chrome: press F12, go to Network, press an ajax-link and look at request response.
At Firefox with addon "Firebug".
With this you can determine whether a request is done or not.
hallo im trying to do something like
$this->model->users->updateData ( $e );
$this->messenger->setMessage('Updated');
# tells that hello user the data is updated!
redirect ( '/edit/profile' );
# trying to update the data, the main problem when redirect all the data is gone
heres are the options
use sessions to put the message in then deletes if its showed
use ?updated on urls get it with a is_get or something like that
use ajax to update the new data on the edit/profile
or there is a better way on doing this ?
The Flash Messenger Helper may be what you are looking for.
http://framework.zend.com/manual/en/zend.controller.actionhelpers.html