Prevent ajax form submission from console
Permalink Browser Info Environment
This might be a general ajax validation security/workflow question, is there a way to prevent a form, proform specifically, submission from console ($('#my_form').submit())
In my case the forms is for redeeming a rebate, so such a submission would create a vulnerability as even though there is an admin issuing the actual rebates, a conformation email sent to a fraudulent user would create a claim for rebate, and extra validation/verification work.
Do I need to add another level of validation and can it still be ajax?
In my case the forms is for redeeming a rebate, so such a submission would create a vulnerability as even though there is an admin issuing the actual rebates, a conformation email sent to a fraudulent user would create a claim for rebate, and extra validation/verification work.
Do I need to add another level of validation and can it still be ajax?
| Type: | Discussion |
|---|---|
| Status: | New |
After some though and looking at how advanced forms do it, I think it might be a workflow problem as the validation and the saving script(action_entry_form_multipart in controller) are separated, I was able to submit an empty proform that has required fields, and that is a problem, I think, regardless of my aim.
I by no means have a grasp on all the proforms code, so I might be missing something
I by no means have a grasp on all the proforms code, so I might be missing something
So, what you are after is to have the validation forced twice. Once in AJAX validation and once in post?
I think this is doable. Although, this is not something I will get to within the next day or so.
ChadStrat
I think this is doable. Although, this is not something I will get to within the next day or so.
ChadStrat
One validation in the post and the validation and saving of a submission are at the same place and the saving is dependent on the validation
Not inventing anything here, just looking at the advanced forms implementation, they have the action of the form set to a helper in the /tools which validates and saves if the validation passes, and they ajax to that helper (in the view.php), and that seems to solve the console issue, for even if you make a fancy ajax call with data, more meaningful validation can developed in helper as needed
Other then that I think proform have a huge advantage of doing everything the concrete5 way, with attributes etc and I want to use it for the proj
Hope I make seance and not wasting your time
Thanx
Not inventing anything here, just looking at the advanced forms implementation, they have the action of the form set to a helper in the /tools which validates and saves if the validation passes, and they ajax to that helper (in the view.php), and that seems to solve the console issue, for even if you make a fancy ajax call with data, more meaningful validation can developed in helper as needed
Other then that I think proform have a huge advantage of doing everything the concrete5 way, with attributes etc and I want to use it for the proj
Hope I make seance and not wasting your time
Thanx
Please update to v2.6.0 and see if that works for you.
ChadStrat
ChadStrat
Thanx that solves it.
For anybody who is interested and needs advanced security/validation in post can extend the validate_post function in the block controller.
For anybody who is interested and needs advanced security/validation in post can extend the validate_post function in the block controller.
What you are doing likely should be it's own custom question type that sends/saves a random code to the logged in user on form submit.(only logged in users can use it, this ensures that the email it is sent to is valid and not hacked) Then a single page with controller to redeem only once and mark that code as "used".
We would likely charge $350 to create this functionality for you.
ChadStrat