Rev 579 | Rev 639 | Go to most recent revision | Show entire file | Regard whitespace | Details | Blame | Last modification | View Log | RSS feed
Rev 579 | Rev 607 | ||
---|---|---|---|
Line 27... | Line 27... | ||
27 | OIDplus::authUtils()->disableCSRF(); // allow access to ajax.php without valid CSRF token |
27 | OIDplus::authUtils()->disableCSRF(); // allow access to ajax.php without valid CSRF token |
28 | } |
28 | } |
29 | 29 | ||
30 | $json_out = null; |
30 | $json_out = null; |
31 | 31 | ||
32 | OIDplus::authUtils()->checkCSRF(); |
- | |
33 | - | ||
34 | if (isset($_REQUEST['plugin']) && ($_REQUEST['plugin'] != '')) { |
32 | if (isset($_REQUEST['plugin']) && ($_REQUEST['plugin'] != '')) { |
35 | 33 | ||
36 | // Actions handled by plugins |
34 | // Actions handled by plugins |
37 | 35 | ||
38 | $plugin = OIDplus::getPluginByOid($_REQUEST['plugin']); |
36 | $plugin = OIDplus::getPluginByOid($_REQUEST['plugin']); |
39 | if (!$plugin) { |
37 | if (!$plugin) { |
40 | throw new OIDplusException(_L('Plugin with OID "%1" not found',$_REQUEST['plugin'])); |
38 | throw new OIDplusException(_L('Plugin with OID "%1" not found',$_REQUEST['plugin'])); |
41 | } |
39 | } |
42 | 40 | ||
43 | if (!OIDplus::baseconfig()->getValue('DISABLE_AJAX_TRANSACTIONS',false) && OIDplus::db()->transaction_supported()) { |
- | |
44 | OIDplus::db()->transaction_begin(); |
- | |
45 | } |
- | |
46 | - | ||
47 | $params = array(); |
41 | $params = array(); |
48 | foreach (array_merge($_POST,$_GET) as $name => $val) { |
42 | foreach (array_merge($_POST,$_GET) as $name => $val) { |
49 | if (($name != 'action') && ($name != 'plugin')) { |
43 | if (($name != 'action') && ($name != 'plugin')) { |
50 | $params[$name] = $val; |
44 | $params[$name] = $val; |
51 | } |
45 | } |
52 | } |
46 | } |
53 | 47 | ||
54 | if (isset($_REQUEST['action']) && ($_REQUEST['action'] != '')) { |
48 | if (isset($_REQUEST['action']) && ($_REQUEST['action'] != '')) { |
- | 49 | if ($plugin->csrfUnlock($_REQUEST['action'])) { |
|
- | 50 | originHeaders(); // Allows queries from other domains |
|
- | 51 | OIDplus::authUtils()->disableCSRF(); // allow access to ajax.php without valid CSRF token |
|
- | 52 | } |
|
- | 53 | ||
- | 54 | OIDplus::authUtils()->checkCSRF(); |
|
- | 55 | ||
- | 56 | if (!OIDplus::baseconfig()->getValue('DISABLE_AJAX_TRANSACTIONS',false) && OIDplus::db()->transaction_supported()) { |
|
- | 57 | OIDplus::db()->transaction_begin(); |
|
- | 58 | } |
|
- | 59 | ||
55 | $json_out = $plugin->action($_REQUEST['action'], $params); |
60 | $json_out = $plugin->action($_REQUEST['action'], $params); |
56 | if (!is_array($json_out)) { |
61 | if (!is_array($json_out)) { |
57 | throw new OIDplusException(_L('Plugin with OID %1 did not output array of result data',$_REQUEST['plugin'])); |
62 | throw new OIDplusException(_L('Plugin with OID %1 did not output array of result data',$_REQUEST['plugin'])); |
58 | } |
63 | } |
59 | if (!isset($json_out['status'])) $json_out['status'] = -1; |
64 | if (!isset($json_out['status'])) $json_out['status'] = -1; |
Line 67... | Line 72... | ||
67 | 72 | ||
68 | } else { |
73 | } else { |
69 | 74 | ||
70 | // Actions handled by the system (base functionality like the JS tree) |
75 | // Actions handled by the system (base functionality like the JS tree) |
71 | 76 | ||
- | 77 | OIDplus::authUtils()->checkCSRF(); |
|
- | 78 | ||
72 | if (isset($_REQUEST['action']) && ($_REQUEST['action'] == 'get_description')) { |
79 | if (isset($_REQUEST['action']) && ($_REQUEST['action'] == 'get_description')) { |
73 | // Action: get_description |
80 | // Action: get_description |
74 | // Method: GET / POST |
81 | // Method: GET / POST |
75 | // Parameters: id |
82 | // Parameters: id |
76 | // Outputs: JSON |
83 | // Outputs: JSON |