The EuroCMS Core Ajax
The only way to handle ajax requests is via the EuroCMS Ajax Controller.
Security Checks
When someone make a GET request to the ajax path, it will check if the unique ID is in the header, and if that is a local GET. Meaning not from an external source.
-
local access only
-
Ajax only requests?
This should probably by default. No direct access from external servers.
- Access Control check
The EuroEditor can also request the file upload box, when trying to upload an image file. At AJAX request to the upload box, make sure it does an ACL check. Just in case unauthorized users are requesting it...
- Random generated
path? So that a hacker does not know where toGET/POST?
DB Structure
| ajax_id | domain_id | user_id | group_id | name | path | component_type | component_name | http_methods | local_only | user_lock | status |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 | 1 | 1 | 1 | FileUpload | /Files/FileUpload | module | Files | GET | true | null | enabled |
| 2 | 1 | 1 | 1 | Refresh | /themes/W3schools/refresh | themes | W3schools | GET,POST | true | null | enabled |
The EuroCMS Ajax Controller
Figure out where in the sub wiki pages to save this information.
The admin panel has JS code, that is used everyhere.
/**
* This file is part of the EuroCMS project
*
* (c) Imri Paloja <imri.paloja@gmail.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/
async function Ajax(DATA,HTTP_METHOD,PATH) {
if (window.XMLHttpRequest) {
// code for IE7+, Firefox, Chrome, Opera, Safari
xmlhttp = new XMLHttpRequest();
} else {
// code for IE6, IE5
xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");
}
xmlhttp.onreadystatechange = function() {
if (this.readyState === 4 && this.status === 200) {
document.getElementById("notification-reponse").innerHTML = this.responseText;
// ^ edit this
}
};
await fetch(PATH, {
method: HTTP_METHOD,
body: DATA
});
}