Front-end Ajax in ModX Revolution - ajax

What's the proper way for implementing front-end Ajax functionality in ModX Revolution? I like the idea of connectors and processors, but for some reason they are for back-end use only - modConnectorResponse checks if user is logged in and returns 'access denied', if he is not.
Inserting a snippet into resource and calling it by resource URL seems a one-time solution, but that doesn't look right to me.
So how do I get safe Connector-like functionality for front-end?

So, as boundaryfunctions said, it's not possible and ModX developers recommend using a resource with a single snippet included. But for those who despite the will of developers look for Connector-like functionality, there may be a solution made by guess who-- ModX core developer splittingred in Gallery extra. In connector.php, before handleRequest() call, there's a code that fakes authorisation:
if ($_REQUEST['action'] == 'web/phpthumb') {
$version = $modx->getVersionData();
if (version_compare($version['full_version'],'2.1.1-pl') >= 0) {
if ($modx->user->hasSessionContext($modx->context->get('key'))) {
$_SERVER['HTTP_MODAUTH'] = $_SESSION["modx.{$modx->context->get('key')}.user.token"];
} else {
$_SESSION["modx.{$modx->context->get('key')}.user.token"] = 0;
$_SERVER['HTTP_MODAUTH'] = 0;
}
} else {
$_SERVER['HTTP_MODAUTH'] = $modx->site_id;
}
$_REQUEST['HTTP_MODAUTH'] = $_SERVER['HTTP_MODAUTH'];
}
Works for me. Just need to replace first if condition with my own actions.
UPDATE: I forgot to mention that you need to pass &ctx=web parameter with your AJAX request, because default context for connectors is "mgr" and anonymous users will not pass policy check (unless you set access to the "mgr" context for anonymous users).
And also the code from Gallery extra I posted here seems to check some session stuff that for me doesn't work with anonymous front-end users (and works only when I'm logged in to back-end), so I replaced it with the next:
if (in_array($_REQUEST['action'], array('loadMap', 'loadMarkers'))){
$_SESSION["modx.{$modx->context->get('key')}.user.token"] = 1;
$_SERVER['HTTP_MODAUTH'] = $_REQUEST['HTTP_MODAUTH'] = 1;
}
I don't know if this code is 100% safe, but when anonymous user calls it, he doesn't appear to be logged in to Manager, and when admin is logged in and calls the action from back-end, he is not logged off by force. And that looks like enough security for me.
This solution is still portable (i.e. can be embedded into distributable Extra), but security should be researched more seriously for serious projects.

As far as I know, this is not possible in modX at the moment. It has already been discussed on the modx forums and filed as a bug here, but it doesn't look like anybody is working on it.
There are also two possible workarounds in the second link. Personally, I would favour putting the connector functionality into the assets folder to keep the resource tree clean.

There's a more complete explanation of the technique used in Gallery here:
http://www.virtudraft.com/blog/ajaxs-connector-file-using-modxs-main-index.php.html
It allows you to create a connector to run your own processors or a built-in MODX processors without creating a resource.

Related

detecting users with hola extension

I want to know if users are using hola better internet to browse my site. Hola! is an extension that uses a peer to peer network so users can appear to be browsing from different countries. I am worried however that some bots are using this plugin as a proxy. From what I read it does not send the X-FORWARDED-FOR header, and does not seem to announce itself on the navigator.plugins - verified with panopticlick. This seems like a huge security issue, as this plugin has 42 million users..
I see people using it to see netflix from other countries, I guess they would love to stop it too.
How do I detect users who are using this plugin?
--EDIT--
Also, see this - luminati.io - what seems to be the worlds largest botnet for hire... i cant see how they wont piss off google like this. But this does look like a great security risk to any site on the web.
Looking at the source code of the plugin there is this:
function hola_ext_present(){
// Only <html> is present at document_start time, use it as a
// storage to communicate presence of extension to web page.
document.documentElement.setAttribute('hola_ext_present', 'true');
}
so basically something like:
document.documentElement.getAttribute('hola_ext_present');
will tell you if it is present or not.
I know this should be done on server side, but what I can think for now is doing it on the client side since hola when successfully loaded it creates an attribute on html tag named hola_ext_inject.
So using jquery :
$(function() {
var hola_inject = $('html').attr('hola_ext_inject');
if (typeof hola_inject !== typeof undefined && hola_inject !== false) {
console.log('plugin exist');
}
});

Is there a way to extend BlogEngine in order to prevent unauthenticated users from accessing images?

Still using a very old (and slightly customized) version of BlogEngine.NET on a Windows XP (!) server so I'm a bit afraid to upgrade.
In the past, I have written a couple of extensions in order to grant or prevent access to static pages and/or posts based upon the users / roles and / or the post categories. For instance, I can prevent access to the blog from unauthenticated users, I can grant access to a subset of the blog (post categories) to users having the 'Readers' role, etc.
I noticed that images are still accessible, either ones stored explicitly under the /App_Data/files/ folder and served by the image.axd handler, or ones associated with blog posts.
Is there an extension point available where I could add some logic to prevent access to images based on criteria such as authentication and/or users / roles ? Perhaps based upon their file extensions, or whatnot ?
I don't know about an official extension point but I think the edits you need to make are as follows.
According to this line in the web.config
<add verb="*" path="image.axd" type="BlogEngine.Core.Web.HttpHandlers.ImageHandler, BlogEngine.Core" validate="false"/>
The image.axd is handled by BlogEngine.Core.Web.HttpHandlers.ImageHandler
If you look in the BlogEngine.Core project you will find the ImageHandler.cs that defines this class. Assuming you need access to the Session you will need to IReadOnlySessionState as an implemented interface to the class.
public class ImageHandler : IHttpHandler, IReadOnlySessionState {
...
}
Once this is in place you can access the Session in the ProcessRequest Method to perform your custom checks.
public void ProcessRequest(HttpContext context) {
if(context.Session["SomeKey"] == true){
//serve image code goes here
}
}

Detect url the user is viewing in chrome/firefox/safari

How can you detect the url that I am browsing in chrome/safari/firefox via cocoa (desktop app)?
As a side but related note, are there any security restrictions when developing a desktop app that the user will be alerted and asked if they want to allow? e.g. if the app accesses their contact information etc.
Looking for a cocoa based solution, not javascript.
I would do this as an extension, and because you would like to target Chrome, Safari, and Firefox, I'd use a cross-browser extension framework like Crossrider.
So go to crossrider.com, set up an account and create a new extension. Then open the background.js file and paste in code like this:
appAPI.ready(function($) {
appAPI.message.addListener({channel: "notifyPageUrl"}, function(msg) {
//Do something, like send an xhr post somewhere
// notifying you of the pageUrl that the user visited.
// The url is contained within msg.pageUrl
});
var opts = { listen: true};
// Note: When defining the callback function, the first parameter is an object that
// contains the page URL, and the second parameter contains the data passed
// to the context of the callback function.
appAPI.webRequest.onBeforeNavigate.addListener(function(details, opaqueData) {
// Where:
// * details.pageUrl is the URL of the tab requesting the page
// * opaqueData is the data passed to the context of the callback function
if(opaqueData.listen){
appAPI.message.toBackground({
msg: details.pageUrl
}, {channel: "notifyPageUrl"});
}
}, opts ); // opts is the opaque parameter that is passed to the callback function
});
Then install the extension! In the example above, nothing is being done with the detected pageUrl that the user is visiting, but you can do whatever you like here - you could send a message to the user, you could restrict access utilizing the cancel or redirectTo return parameters, you could log it locally utilizing the crossrider appAPI.db API or you could send the notification elsewhere, cross-domain, to wherever you like utilizing an XHR request from the background directly.
Hope that helps!
And to answer the question on security issues desktop-side, just note that desktop applications will have the permissions of the user under which they run. So if you are thinking of providing a desktop app that your users will run locally, say something that will detect urls they access by tapping into the network stream using something like winpcap on windows or libpcap on *nix varieties, then just be aware of that - and also that libpcap and friends would have to have access to a network card that can be placed in promiscuous mode in the first place, by the user in question.
the pcap / installed desktop app solutions are pretty invasive - most folks don't want you listening in on literally everything and may actually violate some security policies depending on where your users work - their network administrators may not appreciate you "sniffing", whether that is the actual purpose or not. Security guys can get real spooky so-to-speak on these kinds of topics.
The extension via Crossrider is probably the easiest and least intrusive way of accomplishing your goal if I understand the goal correctly.
One last note, you can get the current tab urls for all tabs using Crossrider's tabs API:
// retrieves the array of tabs
appAPI.tabs.getAllTabs(function(allTabInfo) {
// Display the array
for (var i=0; i<allTabInfo.length; i++) {
console.log(
'tabId: ' + allTabInfo[i].tabId +
' tabUrl: ' + allTabInfo[i].tabUrl
);
}
});
For the tab API, refer to:
http://docs.crossrider.com/#!/api/appAPI.tabs
For the background navigation API:
http://docs.crossrider.com/#!/api/appAPI.webRequest.onBeforeNavigate
And for the messaging:
http://docs.crossrider.com/#!/api/appAPI.message
And for the appAPI.db stuff:
http://docs.crossrider.com/#!/api/appAPI.db
Have you looked into the Scripting Bridge? You could have an app that launches, say, an Applescript which verifies if any of the well known browser is opened and ask them which documents (URL) they are viewing.
Note: It doesn't necessarily need to be an applescript; you can access the Scripting Bridge through cocoa.
It would, however, require the browser to support it. I know Safari supports it but ignore if the others do.
Just as a quick note:
There are ways to do it via AppleScript, and you can easily wrap this code into NSAppleScript calls.
Here's gist with AppleScript commands for Safari and Chrome. Firefox seems to not support AE.
Well obviously this is what I had come across on google.
chrome.tabs.
getSelected
(null,
function
(tab) {
alert
(tab.url);
}) ;
in pure javascript we can use
alert(document.URL);
alert(window.location.href)
function to get current url

Scoping sessions to a particular section of a Coldfusion application?

Is there a way to enable sessions for just a specific part of the Coldfusion application by just adding Application.cfm into its directory with the session enablers?
For example, a website that has the following:
/extranet
/intranet
/store
/rentals
I want to use session variables in the rental section, independent of the ones in the intranet and store.
If you don't want to share session variables, and don't need to share application variables, then it's easy. Just put a different Application.cfc (or .cfm) in the root of the context for which you want access to the session variables.
So if you want sessions in /extranet, and sessions in /intranet and don't want them to be the same application, then:
/extranet/Application.cfc:
component {
this.name = "extranet";
this.sessionmanagement = true;
}
/intranet/Application.cfc:
component {
this.name = "intranet";
this.sessionmanagement = true;
}
It sounds like you aren't really up to speed on all of the things that you can do with Application.cfc, so I'll also add that this is a really good reference. There is a lot to learn, but it is also pretty simple once you understand how it works.
Maybe a Single Signon (SSO) solution would work for you? Rather than monkey around with the values in the session struct, just pass a user id from one app to another. When the user passes from extranet to rentals, the app says "here comes user #45", the rentals app looks them up in the db, does some validation to make sure that the user is who the extranet says they are, then starts a new session for them in rentals.

Debugging: IE6 + SSL + AJAX + post form = 404 error

The Setting:
The program in question tries to post form data via an AJAX call to a target procedure contained in the same package as the caller. This is done for a site that uses a secure connection (HTTPS). The technology used here is PLSQL and the DOJO JavaScript library. The development tool is basically a text editor.
Code Snippet:
> function testPost() {
>> dojo.xhrPost( {
url: ''dr_tm_w_0120.test_post'',
form: ''orgForm'',
load: testPostXHRCallback,
error: testPostXHRError
});
}
> function testPostXHRCallback(data,ioArgs) {
>> alert(''post callback'');
try{
dojo.byId("messageDiv").innerHTML = data;
}
catch(ex){
if(ex.name == "TypeError")
{
alert("A type error occurred.");
}
}
return data;
}
>
function testPostXHRError(data, ioArgs) {
>> alert(data);
alert(''Error when retrieving data from the server!'');
return data;
}
The Problem:
When using IE6 (which the entire user-base uses), the response sent back from the server is a 404 error.
Observations:
The program works fine in Firefox.
The calling procedure cannot target any procedures within the same package.
The calling procedure can target outside sites (both http, https).
The other AJAX calls in the package that are not posts of form data work fine.
I've searched the internets and consulted with senior-skilled team members and haven't discovered anything that satisfactorily addresses the issue.
*Tried Q&A over at Dojo support forums.
The Questions:
What troubleshooting techniques do you recommend?
What troubleshooting tools do you recommend for HTTPS analyzing?
Any hypotheses on what the issue might be?
Any ideas for workarounds that aren't total (bad) hacks?
Ed. The Solution
lomaxx, thx for the fiddler tip. you have no idea how awesome it was to get that and use it as a debugging tool. after starting it up this is what i found and how i fixed it (at least in the short term):
> ef Fri, 8 Aug 2008 14:01:26 GMT dr_tm_w_0120.test_post: SIGNATURE (parameter names) MISMATCH VARIABLES IN FORM NOT IN PROCEDURE: SO1_DISPLAYED_,PO1_DISPLAYED_,RWA2_DISPLAYED_,DD1_DISPLAYED_ NON-DEFAULT VARIABLES IN PROCEDURE NOT IN FORM: 0
After seeing that message from the server, I kicked around Fiddler a bit more to see what else I could learn from it. Found that there's a WebForms tab that shows the values in the web form. Wouldn't you know it, the "xxx_DISPLAYED_" fields above were in it.
I don't really understand yet why these fields exist, because I didn't create them explicitly in the web PLSQL code. But I do understand now that the target procedure has to include them as parameters to work correctly. Again, this is only in the case of IE6 for me, as Firefox worked fine.
Well, that the short term answer and hack to fix it. Hopefully, a little more work in this area will lead to a better understanding of the fundamentals going on here.
First port of call would be to fire up Fiddler and analyze the data going to and from the browser.
Take a look at the headers, the url actually being called and the params (if any) being passed to the AJAX method and see if it all looks good before getting to the server.
If that all looks ok, is there any way you can verify it's actually hitting the server via logging, or tracing in the AJAX method?
ed: another thing I would try is rig up a test page to call the AJAX method on the server using a non-ajax based call and analyze the traffic in fiddler and compare the two.

Resources