[SOLVED] Backoffice ajax call authentication

[deuterit]

I've written module (prestashop 1.4.x) with tab in backoffice and it works fine.

 

File structure looks like that:

/modules/mymodule/mymodule.php

/modules/mymodule/AdminMymodule.php

/modules/mymodule/ajax.php

/modules/mymodule/[... other files ...]

 

Now I want to make ajax call to file ajax.php using uri: "/modules/mymodule/ajax.php".

Of course there's no problem with ajax call itself

I want this file only check if user is logged in backoffice and do some simple stuff without initializing all admin functions.

The problem is i can not verify if user is logged in backoffice (admin cookie path is set to "/admin").

 

The only way I found is to call admin tab or module configuration page (eg. index.php?tab=AdminMymodule&token=blabla&ajax) but it loads all admin features and is about 4-5 times slower.

 

Im just curious, does anyone have nice solution for such ajax calls in backoffice?

Edited March 11, 2013 by ziq (see edit history)

[axelmdp]

Hello ziq. I know what your problem is. The fact is that it's not feasible to access to a cookie with the admin path from a different path.

 

So, all possible solutions will be "workarounds". And I can suggest you one:

 

I'd use a strategy like this:

On your admin-hook module or tab content generation function, include an encrypted token, along with an employee ID, and send both parameters to your ajax php file. For example:

 

//inside the tab content generator
global $cookie;
$idEmployee = (int)$cookie->id_employee_logged;
$timeGenerated = time();
$cryptToken = md5($idEmployee . _COOKIE_KEY_ . $timeGenerated);

//this is a sample, it has to be located inside a <script> tag, it performs an ajax call using jQuery
$html .= '$.ajax({
  type: "POST",
  url: "'._MODULE_DIR_.'/mymodule/ajax.php",
  data: "cryptToken=' . $cryptToken . '" +
  "&idEmployee=' . $idEmployee . '"+
  "&timeGenerated='.$timeGenerated.'"  //and other data parameters
//other ajax parameters...
});
';

 

On your ajax php file, check that you are receiving the expected data as is shown below:

 

//settings.inc.php has the define for _COOKIE_KEY_ ... it has only around 20 defines sentences, so it won't take too much time to load.
require(dirname(__FILE__). '/../../config/settings.inc.php');
//you can define this value as you whish.
$MAX_TIME = 60*10;
//GET THE PARAMETERS
$idEmployee = (int)$_POST['idEmployee'];
$timeGenerated = (int)$_POST['timeGenerated '];
//Generate the expected token
$cryptToken = md5($idEmployee . _COOKIE_KEY_ . $timeGenerated);
//validate that the token is correct and the time has passed less than MAX_TIME
if($_POST['cryptToken'] == $cryptToken AND ((time()-$timeGenerated)<$MAX_TIME) ) {
 //do your ajax stuff here :-)
}

 

Of course, this approach can't verify that the employee is still logged... but at least you can limit the max_time to allow the request since the orginal page was loaded. It's suppossed to work ok most of the times. So I hope it help you to do what you want. If this has answered to your question, you can edit the post and mark it as solved.

 

Best Regards,

 

 

Axel

------------------

Check this cool modules (must have) :

LoginAsCustomer for PS1.5

Cart Details

Edited March 12, 2013 by axelmdp (see edit history)

[deuterit]

Nice solution axel! Thank you