We have a site that needs to have several sections be secure. We have
our SSL certificate installed, and for the areas that are accessible
via menu item, it's no problem - we just use the SSL Enabled system
parameter in the menu item editor. But we have a few sections (i.e. a
shopping cart checkout screen) that are only accessible via a submit
button (they don't have their own URL, so to speak - they're just
submitted to themselves via the controller and the view changes based
on the form action.) Right now, the form action is set like this:
<form name="instantForm" action="/<?=$this->segment?>/" method="post" onsubmit="updateSubmitValue()">
where segment is passed via the view.html.php. The rendered form tag
looks like this:
<form id = "checkoutForm" name="checkoutForm" action="/checkout/" method="post" onsubmit="updateSubmit()">
When submitted, the controller grabs the value of a few submitted
fields and determines which view to display (logged in with saved
account info or anonymous transaction) and then displays the correct
form.
Here's a stripped-down version of the controller's display method:
if (JRequest::getVar('checkoutCodeSubmitBTN') != ""){
//user has clicked Checkout button; go to billing info page
JRequest::setVar('view','checkoutpay');
// JRequest::setVar('view','checkout_thankyou');
//reference view
$viewCode =& $this->getView('checkoutpay','html');
$viewCode->voucher =& $voucher;
} //close test for step 1 if
How can I make sure that the view that gets displayed gets switched
over to an https URL?
I've already posted this on the google joomla dev discussion group, and got a response telling me to use JRoute to generate a URL and use setRedirect instead of posting to the form, but then someone else responded that using JRoute produces a completely new request, so all your access to JRequest::getVar type stuff is gone. We need to be able to access the variables that are posted through the form, so that solution is out. Does anyone have any other ways of doing this? I'm pretty new to Joomla development and am not familiar with many of the objects and methods available.
I've heard from some people that JRoute would be better for this, but that only works if you know the URL you need; we have to build our URL dynamically based on the current request, so I used JURI.
In my view.html.php, I added this code:
$needSecure = $model->needSecure();
if($needSecure) {
$u =& JURI::getInstance( JURI::base() );
$u->setScheme( 'https' );
$tmpURL = $u->toString()."checkout";
}
else {
$tmpURL = "/checkout";
}
$this->assignRef("tmpURL", $tmpURL);
needSecure() is a function in my model that pulls a value from a database table and returns a boolean. So if needSecure returns true, we get the current request URI, set the first part to https, then append the bit that we're submitting to. If it returns false, we just set the bit to submit to.
In the default.php, we have this:
<form id = "checkoutForm" name="checkoutForm" action="<?=$this->tmpURL?>/" method="post" onsubmit="updateSubmit()">
If needSecure is true, the action renders to
<form id = "checkoutForm" name="checkoutForm" action="https://www.mysite.com/checkout" method="post" onsubmit="updateSubmit()">
otherwise it renders to
<form id = "checkoutForm" name="checkoutForm" action="/checkout" method="post" onsubmit="updateSubmit()">
It works perfectly, and because we're storing the boolean in a database, it means we don't ever have to change the code itself if we want to make a new form submission secure or insecure.
Related
I wanted to disable employees from a button on my index.blade.php page. Currently, the options of disabling employees (setting the status column in the database to false) is either to have an edit.blade.php view and update the value there, which is pretty standard for any laravel app or to have a new view for example, changestatus.blade.php, with the proper routes offcourse and update the value there. I am using the second implementation and it's working perfectly.
What i wanted to implement is to have a button on the index page which will change the status of the employee without going to a edit.blade.php or changestatus.blade.php page.
What i have tried
I have created new routes and created a button to link to the changestatus function
Routes.php
Route::put('employees/{employee}/changestatus', 'EmployeesController#changestatus')->name('employees.changestatus');
Route::resource('employees', 'EmployeesController');
EmployeeController
public function changestatus($EmployeeID)
{
$employee = Employee::find($EmployeeID);
$employee->status = true;
$employee->Save();
}
On my view i created a button with the following link
{{ URL::route('employees.changestatus', $employee->EmployeeID) }}
When i click that link, i get the MethodNotAllowedHttpException in RouteCollection.php error.
I even tried to change the Route::put to Route::Patch, but it's the same thing.
Is it even possible to achieve what I'm trying to do? If so, how?
When you click on a hyperlink, the web browser submits a GET request. Your route has been defined as being a PUT so that's why you're getting an exception.
You could either change the route to a GET by defining it like this:
Route::get('employees/{employee}/changestatus', 'EmployeesController#changestatus')->name('employees.changestatus');
Which isn't very ReSTful since a GET request should really only be used for returning a resource rather than modifying it.
Or, you could modify the button so that it submits a form like this:
<form method="post" action="{{ route('employees.changestatus', $employee->EmployeeID) }}">
{{ method_field('PUT') }}
<button type="submit">Button Text</button>
</form>
Note that you can't simply set the form method to PUT since this method isn't generally supported by web browsers. Laravel supports method spoofing which you can read all about here:
http://laravel.com/docs/5.1/routing#form-method-spoofing
I have a form which I dynamically build inside a jquery modal dialog.
var $myform = jQuery("<form id='EditForm' method='post' action='index.php?option=com_mycomponent&task=edit'></form>");
...
It gets processed by the edit method in my controller and then I redirect back to the desired page:
JFactory::getApplication()->redirect(JRoute::_('index.php?option=com_mycomponent'));
This submit from the form works and all is good except the url I get routed back to. It should be
index.php?option=com_mycomponent (or the SEF url)
but instead I get:
components/mycomponent/
Technically that is the same page but now it screws up any other operation I try to do after that. I'm guessing the fact that I create the form in javascript is part of the problem. I bet if I put
<?php echo JRoute::_('index.php?option=com_mycomponent') ?>
that might work. But I can't do that because this is a form in a separate javascript file where I don't have php available. Any ideas what I can do?
The URL you get is correct. It's the SEF URL for index.php?option=com_mycomponent.
You can add an Itemid (menu item) so the SEF URLs is prettier. Or you just can skip the JRoute part and you get the non SEF URL.
Update:
To get the currently active menu itemid you just get it from the current URL with either JRequest (depreceated) or JInput (http://docs.joomla.org/Retrieving_request_data_using_JInput):
$itemid = JFactory::getApplication()->input->get('Itemid', '0', 'INT');
But if there is an active menu item, JRoute should already add it itself.
I am in the process of porting a site I wrote from ASP.NET webforms to MVC3 and need some guidance as outlined below. I'm new to MVC3.
In my existing ASP.NET web forms project I have a simple page where the user enters a username, they then click a button which causes a postback, on postback there is some basic code that checks if the entered username exists in a user repository - if it does, a textbox containing the users e-mail is shown and the username textbox is made invisible. This happens with ajax and so when the username is entered, the textbox containing the e-mail along with an "Update" button is shown without a full page refresh.
I created a model such as:
public class ChangeEmailModel
{
[Required]
public string Username { get; set; }
[Required]
public string Email { get; set; }
}
Problem is that when the user first enters the page, they should only see a textbox prompting them to enter a username. Once the username is entered and an update button clicked, only then their e-mail is shown (retrieved from the database). Once the e-mail is shown, they can edit the e-mail and click update, which then will need to post to a controller action that saves the updated e-mail. I'm not yet fully used to thinking in the MVC way, so I'm not sure if I've started on the wrong foot with the model above...
Can someone give me some guidance on how this can be accomplished in MVC3 so I can give it a try?
I will start off by suggesting that you start using JQuery for your javascript/ajax functions. ASP.Net MVC3 supports JQuery nicely. I will ignore validation of the email for now as it will be much easier to get you started without it. A high level overview will be:
Add the JQuery script to your page
Add the JQuery vsdoc script to your page so you have some intellisense
Create a partial view to show the email and submit button
Create a controller action that performs the email lookup you mentioned
Create a div to accept the newly returned Email Update form
Use JQuery to override the submit on your username lookup to perform an ajax update instead (and populate the Email Update form div)
1. Add the JQuery script to your page
This should be pretty easy - just drag it from your scripts folder. I think mvc3 comes with jquery-1.5.1.js. Use the min (minified) version when you release to production.
2. Add the JQuery vsdoc script to your page so you have some intellisense
Not quite as easy here - you will want to use an if statement that always evaluates to false so the script is not actually included in your content. Having it on the page though, will cause VS to use it for intellisense. Put this near the top of your view:
#if (false) { <script src="../../Scripts/jquery-1.5.1-vsdoc.js" type="text/javascript"></script> }
Hopefully you are using Razor. If not, start using it. It seemed a little foreign to me at first, but it requires much less markup.
3. Create a partial view to show the email and submit button
You could use the ViewBag to pass the Email address and UserName (for now as we are ignoring validation), but go ahead and make it strongly typed to your Model from above. Your view may look something like this:
#model ChangeEmailModel
#{using (Html.BeginForm("UpdateEmail", "Home", FormMethod.Post, new { id = "UpdateEmailForm" }))
{
<input type="hidden" name="userName" value="#Model.UserName" />
#Html.EditorFor(m => m.Email)
<button id="submitEmailUpdate" type="submit">Submit</button>
}
}
Note that we have given Ids to the form and the submit button. JQuery will find the form and button based on these ids. (if we need to, which we will if we want to "ajaxify" the action of updating the email. I did not go into that detail here, but it will be the same process to get that working as it is for the original username lookup)
4. Create a controller action that performs the email lookup you mentioned
I won't go into controllers much here (as you are asking about ajax type updates) but it might look like:
[AcceptVerbs(HttpVerbs.Post)]
public ActionResult LookupEmail(string userName)
{
//connect to db and lookup email based on passed in username
//create a new instance of your model
var changeEmailModel = new ChangeEmailModel(.....)
//return a partial view
return PartialView("EmailUpdateForm", changeEmailModel);
}
Make sure to return a PartialView here rather than a View.
5. Create a div to accept the newly returned Email Update form
Make sure this div is not contained in your Username lookup form (as you want to hide it). We will be working with two separate forms. This div could be hidden if you prefer (but will start out empty anyway) I am calling it emailFormDiv
6. Use JQuery to override the submit on your username lookup to perform an ajax update instead
JQuery will allow you to attach functions to... well a lot of things, but we will be using it to override the submit button on your username lookup form. Assume that your original username lookup form with an id of "formUserNameLookup" that has a submit button with an id of "submitUserNameLookup". You would then create a script tag that looks something like this:
<script type="text/javascript" language="javascript">
$(document).ready(function () { //The document.ready function will fire when the html document is... ready
$('#submitUserNameLookup').click(function (ev) { //fires when the submit button is clicked
ev.preventDefault(); //prevent the normal action of the button click
$.post($('#formUserNameLookup').attr('action'), //get the url from the form's action attribute. Could be hard coded for simplicity
$('#formUserNameLookup').serialize(), //serialize the data in the form
function (response, status) {
$('#emailFormDiv').html(response); //replace the html of your div with the response
$('#formUserNameLookup').hide(); //hide the original form
}, 'html'); //states that we are expecting html back from the post
});
});
</script>
The code above is attaching a function to be run when the submit button is clicked. It won't run, of course, until the button is actually clicked. Using JQuery/Javascript to attach functions to html elements, rather than embedding them directly inside the element is definitely preferred, and is referred to as unobtrusive javascript. If you continue with ajaxifying more of your page, you will want to look into JQuery's live and/or delegate functions. Note that there are plenty of things that can be changed once you start looking toward performance and/or best practices. The above should get you going though. I hope I haven't made too many assumptions on your current level of familiarity with ASP.Net MVC (like controllers and posting to controllers) but by all means, ask if you need further help.
I have an extension which should give the users (logged in as an Admin in the magento backend) the ability to change some configs in the frontend area. I want to have a link in the frontend which loads the config area via ajax and gives the user the possibility to edit&save this config in the loaded div. I want to use the magento backend forms for this so i don't have to code the forms myself.
My current approach has the link on the pages and loads via ajax the correct backend page (e.g. System > Configuration > Design). For this approach I created a Controller which extends the Mage_Adminhtml_Controller_Action. This Controller get the params from the ajax request and uses an action (like the editAction of the class Mage_Adminhtml_System_ConfigController) to get the right config page in the backend.
My Problems are:
- showing only the correct Area (I just want the user to edit only the section "themes" under System > Configuration > Design) everything else should be not available... so how to remove all the information around this config section?
The form needs the JS-variable Form_Key. How to get the current Form_Key (in the frontend)?
After the ajax has loaded the content the form doesnt get initialized correctly. So if I'm trying to submit the form my firebug says "JS-Error: configForm is not defined". How to solve this form initialising ? Any ideas?
I really hope anybody here can give me a hint how to solve this problems to get the backend config work in the frontend.
This is untested, but it should be enough to get you on the right track:
Output only a specific block
In the frontend most blocks are instantiated via layout XML. In the adminhtml area this is different, so you need to work with PHP instantiation much more.
In your AJAX action I assume you are currently calling loadLayout() and renderLayout().
To only output a specific section use this instead:
public function yourAjaxAction()
{
// assuming the required config section is set in the AJAX request
$sectionCode = $this->getRequest()->getParam('section');
$sections = Mage::getSingleton('adminhtml/config')->getSections();
$blockName = (string)$sections->frontend_model;
if (empty($blockName)) {
$blockName = Mage_Adminhtml_Block_System_Config_Edit::DEFAULT_SECTION_BLOCK;
}
$block = $this->getLayout()->createBlock($blockName)->initForm();
// Set the AJAX response content
$this->getResponse()->setBody($block->toHtml());
}
The form key
The form key can be fetched via
Mage::getSingleton('core/session')->getFormKey()
It must be present in the form posted back to the server. You can use the following code to create a HTML hidden field with the formkey:
// If loadLayout() was called:
$formkeyHtml = Mage::app()->getLayout()->getBlock('formkey')->toHtml();
// If working without layout XML:
$formkeyHtml = Mage::app()->getLayout()->createBlock('core/template', 'formkey')
->setTemplate('formkey.phtml') // adminhtml theme formkey
//->setTemplate('core/formkey.phtml') // frontend theme formkey
->toHtml();
Add configForm JavaScript
The configForm variable is an JS varienForm object of the DOM element containing the config fields.
It is instantiated using:
// config_edit_form is the CSS id
configForm = new varienForm('config_edit_form');
The varienForm declaration is in the file js/varien/form.js.
There also is some additional javascript used by the system configuration. Magento always adds in these blocks to set up the system config JS environment:
Mage::app()->getLayout()->getBlock('js')->append(
$this->getLayout()->createBlock('adminhtml/template')
->setTemplate('system/shipping/ups.phtml')
);
Mage::app()->getLayout()->getBlock('js')->append(
$this->getLayout()->createBlock('adminhtml/template')
->setTemplate('system/config/js.phtml')
);
Mage::app()->getLayout()->getBlock('js')->append(
$this->getLayout()->createBlock('adminhtml/template')
->setTemplate('system/config/applicable_country.phtml')
);
I hope that gets you started.
When implementing a Facebook Canvas app using an iframe the iframe does a post to my page. This is fine, but it causes the validators to fire which brings up the page with errors on all of the input fields.
Is there anyway to not have the validators fire on this initial page load through the iframe canvas?
Here is a sample code snippet:
#model My.User
#using (Html.BeginForm())
{
#Html.TextBoxFor(e => e.FirstName)
#Html.ValidationMessageFor(e => e.FirstName)
<input type="submit" />
}
The validators are being fired because Facebook is doing an HTTP POST to the url being loaded into the iFrame. By default, turn off your validators initially. Only once when you get a signed_request POST parameter, from facebook then you turn them on.
In the interest of using the framework and not making a hack, this is how I solved this... I am not set that this in the end all be all because there are some issues when implementing this with larger sets of permissions which are noted below. The main issue is the constraint of the length of the URL.
First, when the user hits the site I am deciding to send them along based on my own set of rules, but still persist the signed request from Facebook via the URL.
if(Liked)
{
return RedirectToAction("SimplyAnswerTheQuestion", new { sr = FBSignedRequest });
} else {
return View(ElitistResponse(BetterThanYouObject));
}
Now the issue with this is that you will run out of space to store the signed request as a query string variable if you have been allowed more information about the FB user (i.e. Likes, Friends, etc.). You could capture the signed request and store it before the redirect and then give the user a token in a cookie to pass along to access the data throughout the rest of the session.