Author Topic: [0.5] Reject AJAX calls if not logged in (Read 3501 times)

Vlad · « **on:** January 14, 2011, 08:57:16 AM »

if (empty($RCMAIL->user->ID)) {
if ($OUTPUT->ajax_call)
$OUTPUT->redirect(array(), 2000);

The above lines in index.php prevent from sending ajax calls ($rcmail->output->command(..)), if the user isn't logged in. I'm wondering, why is it there?

I'm trying to develop a plugin to reset user's password. It's clear that user cannot be logged in at this stage. However, I still want to use roundcube's facilities to render standard forms, send requests and handle responses.

rosali · « **Reply #1 on:** January 14, 2011, 09:08:51 AM »

Can't you set a dummy user id?

Vlad · « **Reply #2 on:** January 14, 2011, 09:30:50 AM »

Quote from: rosali;32428

Can't you set a dummy user id?

I could. But it's dirty and hacky and it's not the way it should be done.

And I could even hack the core and make an exception for my actions and maintain my own patch. But the question still remains, for what reason is it there?

rosali · « **Reply #3 on:** January 15, 2011, 01:35:37 AM »

I think it is just there due to security reasons. It locks Roundcube for any AJAX requests unless there is an authenticated session. I don't believe devs will remove it. So I suggest to be 'hacky'.