What's the proper way for implementing front-end Ajax functionality in ModX Revolution? I like the idea of connectors and processors, but for some reason they are for back-end use only - modConnectorResponse checks if user is logged in and returns 'access denied', if he is not.
在ModX革命中实现前端Ajax功能的正确方法是什么?我喜欢连接器和处理器的想法,但出于某些原因,它们只用于后端使用——如果用户登录,modConnectorResponse检查,如果用户没有登录,返回'access denied'。
Inserting a snippet into resource and calling it by resource URL seems a one-time solution, but that doesn't look right to me.
将代码片段插入到资源中并通过资源URL调用它似乎是一次性的解决方案,但这看起来并不正确。
So how do I get safe Connector-like functionality for front-end?
那么如何为前端提供安全的类连接功能呢?
3 个解决方案
#1
2
So, as boundaryfunctions said, it's not possible and ModX developers recommend using a resource with a single snippet included. But for those who despite the will of developers look for Connector-like functionality, there may be a solution made by guess who-- ModX core developer splittingred in Gallery extra. In connector.php, before handleRequest() call, there's a code that fakes authorisation:
因此,正如边值函数所言,这是不可能的,ModX开发人员建议使用包含单个代码片段的资源。但是对于那些不顾开发人员的意愿寻找类连接功能的人来说,也许有一个解决方案是由猜猜谁——ModX core developer splittred在Gallery extra中。在连接器。在调用handleRequest()之前,有一个代码伪造授权:
if ($_REQUEST['action'] == 'web/phpthumb') {
$version = $modx->getVersionData();
if (version_compare($version['full_version'],'2.1.1-pl') >= 0) {
if ($modx->user->hasSessionContext($modx->context->get('key'))) {
$_SERVER['HTTP_MODAUTH'] = $_SESSION["modx.{$modx->context->get('key')}.user.token"];
} else {
$_SESSION["modx.{$modx->context->get('key')}.user.token"] = 0;
$_SERVER['HTTP_MODAUTH'] = 0;
}
} else {
$_SERVER['HTTP_MODAUTH'] = $modx->site_id;
}
$_REQUEST['HTTP_MODAUTH'] = $_SERVER['HTTP_MODAUTH'];
}
Works for me. Just need to replace first if condition with my own actions.
为我工作。只要用我自己的行动来代替第一个条件。
UPDATE: I forgot to mention that you need to pass &ctx=web parameter with your AJAX request, because default context for connectors is "mgr" and anonymous users will not pass policy check (unless you set access to the "mgr" context for anonymous users).
更新:我忘记提到您需要用AJAX请求传递&ctx=web参数,因为连接器的默认上下文是“mgr”,匿名用户不会传递策略检查(除非您为匿名用户设置对“mgr”上下文的访问)。
And also the code from Gallery extra I posted here seems to check some session stuff that for me doesn't work with anonymous front-end users (and works only when I'm logged in to back-end), so I replaced it with the next:
另外,我在这里发布的Gallery extra的代码似乎也检查了一些对匿名前端用户不起作用的会话内容(只有当我登录到后端时才有效),所以我用下面的代码替换了它:
if (in_array($_REQUEST['action'], array('loadMap', 'loadMarkers'))){
$_SESSION["modx.{$modx->context->get('key')}.user.token"] = 1;
$_SERVER['HTTP_MODAUTH'] = $_REQUEST['HTTP_MODAUTH'] = 1;
}
I don't know if this code is 100% safe, but when anonymous user calls it, he doesn't appear to be logged in to Manager, and when admin is logged in and calls the action from back-end, he is not logged off by force. And that looks like enough security for me.
我不知道这段代码是否100%安全,但是当匿名用户调用它时,他似乎没有登录到Manager,当admin登录并从后端调用操作时,他没有被强制注销。这对我来说足够安全了。
This solution is still portable (i.e. can be embedded into distributable Extra), but security should be researched more seriously for serious projects.
这个解决方案仍然是可移植的(例如,可以嵌入到可分发的额外版本中),但是对于严肃的项目,安全性应该得到更认真的研究。
#2
1
As far as I know, this is not possible in modX at the moment. It has already been discussed on the modx forums and filed as a bug here, but it doesn't look like anybody is working on it.
据我所知,这在modX目前是不可能的。它已经在modx论坛上被讨论过,并在这里作为一个bug提交,但是看起来并没有人在研究它。
There are also two possible workarounds in the second link. Personally, I would favour putting the connector functionality into the assets folder to keep the resource tree clean.
在第二个链接中还有两个可能的解决方案。我个人倾向于将连接器功能放在assets文件夹中,以保持资源树的整洁。
#3
0
There's a more complete explanation of the technique used in Gallery here:
这里有一个更完整的解释在画廊使用的技术:
http://www.virtudraft.com/blog/ajaxs-connector-file-using-modxs-main-index.php.html
http://www.virtudraft.com/blog/ajaxs-connector-file-using-modxs-main-index.php.html
It allows you to create a connector to run your own processors or a built-in MODX processors without creating a resource.
它允许您创建一个连接器来运行自己的处理器或内置的MODX处理器,而无需创建资源。
#1
2
So, as boundaryfunctions said, it's not possible and ModX developers recommend using a resource with a single snippet included. But for those who despite the will of developers look for Connector-like functionality, there may be a solution made by guess who-- ModX core developer splittingred in Gallery extra. In connector.php, before handleRequest() call, there's a code that fakes authorisation:
因此,正如边值函数所言,这是不可能的,ModX开发人员建议使用包含单个代码片段的资源。但是对于那些不顾开发人员的意愿寻找类连接功能的人来说,也许有一个解决方案是由猜猜谁——ModX core developer splittred在Gallery extra中。在连接器。在调用handleRequest()之前,有一个代码伪造授权:
if ($_REQUEST['action'] == 'web/phpthumb') {
$version = $modx->getVersionData();
if (version_compare($version['full_version'],'2.1.1-pl') >= 0) {
if ($modx->user->hasSessionContext($modx->context->get('key'))) {
$_SERVER['HTTP_MODAUTH'] = $_SESSION["modx.{$modx->context->get('key')}.user.token"];
} else {
$_SESSION["modx.{$modx->context->get('key')}.user.token"] = 0;
$_SERVER['HTTP_MODAUTH'] = 0;
}
} else {
$_SERVER['HTTP_MODAUTH'] = $modx->site_id;
}
$_REQUEST['HTTP_MODAUTH'] = $_SERVER['HTTP_MODAUTH'];
}
Works for me. Just need to replace first if condition with my own actions.
为我工作。只要用我自己的行动来代替第一个条件。
UPDATE: I forgot to mention that you need to pass &ctx=web parameter with your AJAX request, because default context for connectors is "mgr" and anonymous users will not pass policy check (unless you set access to the "mgr" context for anonymous users).
更新:我忘记提到您需要用AJAX请求传递&ctx=web参数,因为连接器的默认上下文是“mgr”,匿名用户不会传递策略检查(除非您为匿名用户设置对“mgr”上下文的访问)。
And also the code from Gallery extra I posted here seems to check some session stuff that for me doesn't work with anonymous front-end users (and works only when I'm logged in to back-end), so I replaced it with the next:
另外,我在这里发布的Gallery extra的代码似乎也检查了一些对匿名前端用户不起作用的会话内容(只有当我登录到后端时才有效),所以我用下面的代码替换了它:
if (in_array($_REQUEST['action'], array('loadMap', 'loadMarkers'))){
$_SESSION["modx.{$modx->context->get('key')}.user.token"] = 1;
$_SERVER['HTTP_MODAUTH'] = $_REQUEST['HTTP_MODAUTH'] = 1;
}
I don't know if this code is 100% safe, but when anonymous user calls it, he doesn't appear to be logged in to Manager, and when admin is logged in and calls the action from back-end, he is not logged off by force. And that looks like enough security for me.
我不知道这段代码是否100%安全,但是当匿名用户调用它时,他似乎没有登录到Manager,当admin登录并从后端调用操作时,他没有被强制注销。这对我来说足够安全了。
This solution is still portable (i.e. can be embedded into distributable Extra), but security should be researched more seriously for serious projects.
这个解决方案仍然是可移植的(例如,可以嵌入到可分发的额外版本中),但是对于严肃的项目,安全性应该得到更认真的研究。
#2
1
As far as I know, this is not possible in modX at the moment. It has already been discussed on the modx forums and filed as a bug here, but it doesn't look like anybody is working on it.
据我所知,这在modX目前是不可能的。它已经在modx论坛上被讨论过,并在这里作为一个bug提交,但是看起来并没有人在研究它。
There are also two possible workarounds in the second link. Personally, I would favour putting the connector functionality into the assets folder to keep the resource tree clean.
在第二个链接中还有两个可能的解决方案。我个人倾向于将连接器功能放在assets文件夹中,以保持资源树的整洁。
#3
0
There's a more complete explanation of the technique used in Gallery here:
这里有一个更完整的解释在画廊使用的技术:
http://www.virtudraft.com/blog/ajaxs-connector-file-using-modxs-main-index.php.html
http://www.virtudraft.com/blog/ajaxs-connector-file-using-modxs-main-index.php.html
It allows you to create a connector to run your own processors or a built-in MODX processors without creating a resource.
它允许您创建一个连接器来运行自己的处理器或内置的MODX处理器,而无需创建资源。