I'd like to know how I can implement CSRF protection on a custom Magento front-end form (in the mage system and located under app/design/.../templates/page/' folder as a .phtml file) that POST's to another custom PHP page (not in the mage system and located at the root of the Magento folder) to handle the form post, send email, etc.
I already have the custom forms and handlers working fine. I just need to add CSRF protection to these forms and need some advice on how I can do this using Magento's built in CSRF keys. I fully understand how to add the keys to the forms .phtml pages, but I am not sure how to use the _validateFormKey() function in the form handler's php page (since it is not in the mage system).
I am asking if this is possible as I do not want to have to create a custom module with front-end page to handle the task since the forms .phtml and handler pages are already setup and working (without CSRF). And yes, I have already looked at this post: Magento CSRF protection.
Once Magento application has been initialized you should be able to access Magento request and session objects and validate the form key in your PHP script:
$requestFormKey = Mage::app()->getRequest()->getParam('form_key');
$sessionFormKey = Mage::getSingleton('core/session')->getFormKey();
if ($requestFormKey == $sessionFormKey) {
//go
}
Related
I'm providing an eID page as an REST interface. Now I want to protect this page with an API key or similar. How can this be achieved in Typo3 8.7?
Actually it looks like this can only be done by logging in via frontend (FE) or backend (BE) and check the login status in the eID controller class.
For TYPO3 v8, you should check out the EXT:restler extension instead of using eID.
eID is meant for calls where you have to do basically everything on your own.
For TYPO3 v9, the PSR-15 middleware concept allows to individually build custom REST APIs and integrations with other solutions like SlimPHP: https://github.com/b13/slimphp-bridge
You can expect a given URL-paramter, maybe even as a post param.
Put your eID-page-configuration (typoscript) in a condition requesting this paramter to be set. Otherwise genate an error-page.
If you want to handle multiple keys (maybe from a database table) you could use a userfunc for conditions.
If you want to handle a login in the call you need to initialize more from the TYPO3 frontend. then identify the paramters from the login form (some are hidden) and provide them. AFAIK POST and GEt paramaters work.
We have a Drupal 7 webform that redirects to a url upon successful submission.
What we need to do is redirect the user if they land on the same webform again and have already submitted.
Do we need a module for this, or do it programmatically?
Thanks in advance.
I looked through the webform module and didn't find any setting that will redirect the user if the user has already submitted a form, so I think you need to do it programmatically.
Note: It might be possible without a custom module by using the rules module. I haven't tried this.
To do it programmatically you could do something like below. It implements the hook_node_view() and checks if the user has already submitted anything by using the webform api function webform_get_submission_count(). (edit: the custom module in this example is called example_webform)
<?php
/**
* Implements hook_node_view().
*/
function example_webform_node_view($node, $view_mode, $langcode) {
global $user;
module_load_include('inc', 'webform', 'includes/webform.submissions');
$submission_count = webform_get_submission_count($node->nid, $user->uid);
if (!empty($submission_count) && $submission_count > 0) {
$redirect = $node->webform['redirect_url'];
drupal_goto($redirect);
}
}
As it is now it will reuse the page that is used when the form is submitted, so if you choose to do this remember to make the success page reflect this. (E.g. it would be strange for the success page to say "your post has been saved" if the user lands on it for the second time.) Or you could replace the $redirect with another page than the one from the webform setting.
Also note that the webform will still add the message "You have already submitted this form. View your previous submissions." if this is enabled.
So here is the solution that we ended up going with.
I saved the webform and made it available as a block
I created a page to hold the webform
I configured the block to appear above the page content
In the page content I put in some javascript to detect if the form element was present - if not forward to the correct url
So the webform redirects correctly upon submission(set in the webform settings), and it then redirects if the user lands back on that page and has completed the webform.
I'm developing a basic recruitment-type website.
I have an "Apply" CustomForm attached with a contenttype("Job"), but I can't get access fields outside of the CustomForm widget. I'm trying to add the reference number or the url to the email within the workflow. Orchard shows {Content.Fields.Input-Reference} token, but it returns no value when used.
Should I overwrite the handler when the form is created or how can I access fields of other zones?
As far as I understand the question, you don't actually need to add a custom token to your module. Custom Forms module takes care of that for you and adds the tokens for fields itself. You just need to use them in the email module.
Just look for a tokens named like this:
Content.Fields.[FormContentTypeName].[FieldName]
Not that the tasks of adding custom tokens to the system and accessing them inside the workflow are particularly hard, mind you.
According to the AngularJS doc's https://docs.angularjs.org/api/ng/directive/form
"For this reason, Angular prevents the default action (form submission to the server) unless the element has an action attribute specified."
is there any way to stop angularJS doing this?
If you don't want the form submission to go down the browser handled route don't put the action attribute on the form use the directive ng-submit which basically calls a method on your controller which will allow you to send the data to the server via a xhr request.
I made a CMS page to include a form I created but want the form action to send to /template/contacts/report.phtml
Currently I have this in my form but I know its not right.
<form action="report.phtml" id="contactForm" method="post">
Thanks for helping!
Magento has built in magento standard contact form. You can access it from browser www.yourdomain.com/contacts
That's managed by the controller in app/code/core/Mage/Contacts/controllers/indexController.php and the function called
public function indexAction()
and the action on the form is in http://www.yourdomain.com/contacts/index/post/ which is managed by the same controller and a function called
public function postAction()
If your aim to have completely custom form (by adding extra fields), the Magento way, you need to create an extension and have your own controllers that you can access it from browser.
or
the hacking way, you can create new function called customAction() with the same code with postAction(). you can copy app/code/core/Mage/Contacts/controllers/indexController.php and create new file in app/code/local/Mage/Contacts/controllers/indexController.php
and copy the whole
public function postAction(){
until the close of the function.
}
And paste it and rename the function customAction(). And if you want customise redirection. you can change the code inside your customAction()
Mage::getSingleton('customer/session')->addSuccess(Mage::helper('contacts')->__('Your inquiry was submitted and will be responded to as soon as possible. Thank you for contacting us.'));
$this->_redirect('*/*/');
to
Mage::getSingleton('customer/session')->addSuccess(Mage::helper('contacts')->__('Your inquiry was submitted and will be responded to as soon as possible. Thank you for contacting us.'));
$this->_redirect('http://yourdomain/redirect_url');
And the action on your form you can pointed to http://www.yourdomain.com/contacts/index/custom/
Hope that's help.