Ajax.php

[tsarma]

Code:

// Code from Ajax.php 
// Allow do bypass the token check if a known token is passed in
if (isset($_GET['bypassToken']) && ((is_array($_SESSION['REQUEST_TOKEN'][TL_MODE]) && in_array($_POST['REQUEST_TOKEN'], $_SESSION['REQUEST_TOKEN'][TL_MODE])) || $_SESSION['REQUEST_TOKEN'][TL_MODE] == $_POST['REQUEST_TOKEN']))
{
	define('BYPASS_TOKEN_CHECK', true);
}

I am using Ajax.php to get a FE module in lightbox. The function is triggered by a link on the page, so how can I set $_POST['REQUEST_TOKEN'] and set BYPASS_TOKEN_CHECK to true?

[thyon]

I guess you just use

ajax.php?bypassToken=1&ajax1=xxx&ajax2=xxxx

[tsarma]

Yes, I have set it like you said, as

Code:

new Request.JSON({
                        url: 'ajax.php?bypassToken=1'
});

but in the if clause of the ajax.php snippet above condition applied is '&&' is not '||', and with ajax.php?bypassToken=1&ajax1=xxx&ajax2=xxxx you are sending $_GET variable. Where as in the ajax.php it is checking for $_POST['REQUEST_TOKEN'].

Thanks for your response

[winanscreative]

You're still going to need a valid request token, current or previous, one way or another. ajax.php is still checking for a known token to be passed in order to disable the check after it gets it. It's not going to let you simply bypass the token check altogether at that point.

You could define it as a variable in your FE page template the same way it is done on the BE (var REQUEST_TOKEN=xxxxxx in the <head>) and then simply grab it from there in your AJAX script. Or you could set it in your template on the link itself so it can be passed to your script directly:

Code:

<a href="#" onclick="MyFunction({'token:'{{request_token}}', module_id:XX})">

and then add it as a POST value on your Request.

Hopefully 2.11 will simplify things a little bit with the single token per session, but it will still need to be passed the same way I imagine. Hope this helps!

[tsarma]

Thanks a lot for helping, Now with following code it Rocks.

Code:

function getMod() {
	 		new Request.JSON({
                        url: 'ajax.php',
                        method: 'get',
					    data : 'bypassToken=1&action=fmd&g=1&id=MY_MOD_ID,
					    onSuccess: function(responseText) {
							    DO MY STUFF HERE
					    	}
                    }).send();
}

window.addEvent('domready',function() {
		$('someLinkId').addEvent('click', function(e) {
			e.preventDefault();
			getMod();
		});
	});

Here I am not passing SESSION_TOKEN but it works. I can't remember why it failed when I tried in the first time.