Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-50374

Allow redirect when AJAX_SCRIPT =1 but request is not xmlhttprequest

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Minor
    • Resolution: Won't Fix
    • Affects Version/s: 2.9
    • Fix Version/s: None
    • Component/s: General, Libraries
    • Labels:
      None
    • Affected Branches:
      MOODLE_29_STABLE

      Description

      When AJAX_SCRIPT==1 redirects are not allowed

      function redirect($url, $message='', $delay=-1) {
          if (CLI_SCRIPT or AJAX_SCRIPT) {
              // This is wrong - developers should not use redirect in these scripts but it should not be very likely.
              throw new moodle_exception('redirecterrordetected', 'error');
          }
      

      however redirects are desirable in an ajax script if the script has been accessed directly by the browser. i.e. If someone accesses my pure ajax script by going to the url i want to redirect them to the main page

      an example core script:
      <moodle>/course/category.ajax.php
      this uses require_login() – require_login will fail with an error because it depends on redirect() internally, which is disallowed by script_ajax

      it also means we cant do something like this:

      if ((empty($_SERVER['HTTP_X_REQUESTED_WITH']) || strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) != 'xmlhttprequest')
      ) {
          // No access or not ajax request.
          redirect($CFG->wwwroot.'/index.php/');
      }
      

      which gracefully deals with people accessing ajax scripts directly.
      MY suggestion is to do something like:

      function redirect($url, $message='', $delay=-1) {
          if (CLI_SCRIPT or (AJAX_SCRIPT && (((isset($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) != 'xmlhttprequest'))) {
              // This is wrong - developers should not use redirect in these scripts but it should not be very likely.
              throw new moodle_exception('redirecterrordetected', 'error');
          }
      

      i.e. if AJAX_SCRIPT is set and the request is ajax (xmlhttprequest) then thrown an exception

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              dobedobedoh Andrew Lyons
              Reporter:
              berserkk Ben Kelada
              Participants:
              Component watchers:
              Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias, Sujith Haridasan, Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Ilya Tregubov, Sara Arjona (@sarjona)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: