Recommended method for securing control panel AJAX requests
Development and Programming
With the release of EE2.0 I wanted to know what method ellis lab would recommend for securing Ajax requests made by modules & fieldtypes inside the control panel. Is simply sending the session XID and checking for it’s existence in the database sufficient? Or are there other methods that ellis lab are promoting?
What do you mean by securing ajax requests? The request endpoint is a method in your module I assume, so at least that makes sure requests can only come from inside the CP..
Yeah for modules, i guess everything is already secure. I suppose my question is more related to a fieldtype i was creating that had some AJAX functionality going on, but I have since realised that I should be combining it with a module so that I have a secure endpoint for my AJAX requests.
I was simply making things more complicated for myself!
Ok, yeah it’s always good to think about these things .. I asked because I was interested in knowing whether or not something I was doing could be a potential security risk, hehe..
Hi there, I was wondering how I could do AJAX request in the control panel.
I mean, in EE 2 and in the mcp file, when I do a :
$this->EE->load->view('myview');It will return the whole Control Panel HTML page, but i’d rather like to output some JSON instead.
Can it be done with “actions” ? Thanks for helping !
I guess actions would be the way to go, yes. echo $json_output; die(); in your function would also work, but that seems a bit hacky.
Maybe someone from EllisLab has some best practice advice on this one?
Thanks for the die tip, this will help while waiting for an EllisLab advice !
I got a solution to this whilst exploring what I thought was a bug. The original thread is here: http://ellislab.com/forums/viewthread/148441/#722756
In addition to the well known
$this->EE->load->view()which you can use for pretty much all of your CP pages for your module, ExpressionEngine 2.0 comes with an AJAX response loader, which only outputs JSON data, not the rest of the CP. You simply call it instead of the standard load->view method above an then supply it an array as its only argument.
$resp['some_message'] = 'something';
$this->EE->output->send_ajax_response($resp);This will output nothing but JSON with the correct HTML MIME headers.
You can then call this method using something like this using jQuery:
$.ajax({
type: "POST",
dataType: 'json',
url: EE.BASE+"&C=addons_modules&M=show_module_cp&module=your_module&method=some_ajax_method_being_called",
// More code here:
});Big thanks to Greg Aker for letting me know that this method existed.