Im new to Elgg, My requirement is to create an Elgg plugin to import contact from Gmail,Yahoo and MSN.
I already successfully imported the contacts in Joomla. when I create an Elgg plugin and the Oauth call back url given like invitefriends/gmailcallback or even direct call like
mod/invitefriends/actions/gmailcallback.php
Its not working.
In first case it return form token missing I tried to add form token dynamically like below.
$ts = time();
elgg_register_action('invitefriends/gmailcallback',
TRUE,
elgg_get_plugins_path() . 'invitefriends/actions/gmailcallback.php?__elgg_token='.generate_action_token($ts).'&__elgg_ts='.$ts);
But still same error.
so I tried to access module file directly it works fine ,but the problem is I didn't get the $_SESSION['oauth_token_secret'] session variable are not getting, it set in default view and have proper value but unable to get that session in action file in direct call method.
Iam not sure its in Elgg standard, Please advice me to solve the problem
Thanks in advance..
Don't use direct call. First thing: you're using deprecated action registration parameters - update your call. I assume you're writing to Elgg 1.8 or later.
You're additng action tokens in completely wrong way! They're necessary to prevent XSRF attacks, so need to pe added at URL generation. To elgg_register_action, you need to pass action file PATH, not URL. Use elgg_add_action_tokens_to_urland read through http://docs.elgg.org/wiki/Actions#Security
You should get specific error telling you that, but you didn't mention it.
Related
A friend contracted some wordpress agency to create a webpage that based on input data entered by user on a form create a custom URL to redirect to a third party API that shows some data to rent a car, this wordpress is done with elementor plugin and the problem is that when redirecting the query params separators are being encoded as html entities i.e the url must be something like www.site.com/?value1=value1&value2=value2&value3=value3 but the plugin is changing the url to www.site.com/?value1=value1&value2=value2&value3=value3 the & is being encoded to &, this agency left the work unfinished and don't want and also can't fix this, he asked me if I can fix it, I am not a wordpress developer so have been difficult for me, in other post someone said me that I can create a custom decoder php file to handle this on the rootfolder of the wordpress installation and instead of redirecting the form to the third party API I can redirect to the custom decoder on the site domain and fix the url to then redirect to the third party API but I can't get the url sent by the form in the php script I have this code right now
<?php
ob_start();
$API_BASE_URL="www.site.com/";
$bad_url={here must be the url sent by the form};
//here is fixed the url
$good_url=html_entity_decode($bad_url);
//concatenation of API_BASE_URL and goodurl
$redirect_url=&API_BASE_URL.$good_url
//redirects to fixed url
header('Location: '.$redirect_url);
exit();
?>
Also i saw that the $_SERVER['HTTP_REFERER'] can be used to get this url but this is not reliable, so I need another way to get the url of the form, how can I do this? the form will now redirect to www.misytedomain.com/custom-decoder/decoder.php/?value1=value1&value2=value2&value3=value3 that is the url I must use to build the url to send to the API.
EDIT:
srry if I am missexplaining for example, the form redirects right now to www.site.com/?value1=value1&value2=value2&value3=value3 but this won't work on the API so I will instead of redirec to that URL redirect to the location on my domain where the php file is somethin like www.mysitedomain.com/custom-decoder/decoder.php I thought that I could add the wrong query params like www.mysitedomain.com/custom-decoder/decoder.php/?value1=value1&value2=value2&value3=value3 take this wrong params, fix with the php logic and finally redirect to the API with correct params like www.site.com/?value1=value1&value2=value2&value3=value3 www.site.com is the api and www.mysitedomain.com is my wordpress domain
Configure a redirect from plugin to your own PHP script (don't forget to add your broken query parameters) and then access wrong query parameters in $_SERVER['REQUEST_URI']
I wrote a API for a system. It is a PHP file, which is called with some parameters. It is called like this: "https://abcdefg.de/api/api.php?test=test". This script returns sensitive data when it is called. To make sure only the right api users get the information the parameters has to contain correct credentials.
To make the api more secure the idea was to check in addition who is calling the script. For example only the website "https://test.de" should be able to call the api script. But how to achieve this in PHP? How to check what is the url of the "caller"?
I already tried $_SERVER['HTTP_REFERER']; but I read that it can be easily manipulated and in our case it returns always null, because we use https instead of http.
Is there a solution to our problem?
Thanks in advance,
Filip.
HTTP_REFERER will not be working in real with API, it's related to the form submitted from another page or website, in case this is the situation this is called cross-site request forgery, the solution here is to create a token in every rendered form and send it with the submitted data, from the backend, you will validate this token (most of the time is saved in the sessions), you can check it
I have searched a lot but did not got any clue. So i am putting my question here.
I have created user account where user or admin can update or edit the user info. For the security reason we can not use get request to open edit form instead we have to use post method whenever particular user profile link is clicked.
I am able to open the the edit form based on post request and i am also able to check the request whether request arrive using get method or post and their parameters.
Now actual problem start here, where i submit the from which was open for edit and contains any validation error it does not redirect using post method, it create problem. It give me "MethodNotAllowedHttpException". I know it is because, it redirect back using get request. But i want it should be via post request.
If anybody requires code support i can try to give, but i am not sure i can.
Thanks.
There is no way to do a redirect to any method other than GET. Location header that is used to do the redirect just tells the browser "where to go" and browser just goes there using the GET HTTP method.
I am currently writing a Magento 2 module that requires me to log customer actions like product views. This action needs to be added for both logged in customers and guest customers. My solution is to use a custom variable (array) in the session for the customer of all product ID's.
To get around full page caching I have implemented a frontend ajax request to log the product views.
I have a controller that when visited will save the product ID in the session. This works as expected when I visit the URL directly, however, when its visited via an AJAX request the saving of the session variable does not work.
I have spent hours trying to debug this, I have been outputting the contents of the session variable and when accessed with AJAX I can see the contents, it's just never updated.
```
public function setGuestCustomerProductView($productId)
{
$guestProductViews = $this->_sessionManager->getGuestProductViews();
$guestProductViews[] = $productId;
$this->_sessionManager->setGuestProductViews($guestProductViews);
return $guestProductViews;
}
```
The AJAX request will always return the contents of the session variable (plus the product ID you are viewing) but never sets the variable. If I visit the URL directly in the same browser the contents are shown and the session variable is updated.
Further AJAX requests show the new session variable data from the direct URL request.
Have I misunderstood something in regards to sessions and AJAX requests? The domain is the same so there is no cross domain issues.
Any help would be appreciated.
UPDATE
I am starting to think this is not a magento 2 issue and it's more of a general Session/AJAX issue.
I decided to test a theory and switch out the SessionManager and use PHP's $_SESSION global variable. This resulted in the same issue so it's not the handler that's the issue.
Further tests concluded the same session ID was being passed and used correctly. While using the SessionManager I called isSessionExists() directly before the set method. This method returned true which checks for not only a valid session ID but also confirms the headers haven't been sent.
I see no reason why this works directly in the browser but not over AJAX. I will continue to investigate unless someone posts and answer I can try out.
SECOND UPDATE
After several failed attempts to get this feature to work I have decided to drop the feature and try a different implementation. As it stands in my module I am not using cookies on the clients side to record the product views and then reading the cookie in PHP. This works perfectly.
I hope my investigations here helps someone in the future.
I'm making an ajax module for drupal 6 in regards to user login.
I need to
disable redirect on the user login form (I know I need to do a form alter on this form: http://api.drupal.org/api/drupal/modules--user--user.module/function/user_login/6 but what and how?)
get back a json response containing the success/fail and the user's UID.
Any idea how I do this?
Thanks.
You could start with ajax_register module or ajax module and customize it.
Or you create your own module for that purpose. You'd have to implement hook_form_user_login_form_alter, alter the form as needed, add some Javascript and write a callback function that calls user_login_submit() and sends a JSON response.
I strongly recommend to use an existing module. There might be more than the two mentioned above. Try searching for "drupal login ajax".