Get json from template with role through ajax.

[Manol]

Hi I'm trying to get some json formatted data through ajax from a template that has permission for certain role only.

If I'm logged as an admin in a tab and just call http://mydomain.com/getitems/ in a different tab a get the json data back. 

Here is my code.

PHP

<?php 

header('Access-Control-Allow-Origin: *');

foreach ( $items as $item) { 
  array_push($array, array( "label"  => $item ) ); 
}
echo json_encode($array);

JS

$http({
   method: 'POST',
   url: 'http://mydomain.com/getitems/'
})
.success(function (result) {
   console.log("result",result)
})
.error(function(data){
   console.log("error",data)
});	

It does work as long as the template containing the PHP code is guest available, but if I allow it to be visible by a role a get a null response, even if I'm logged in another tab in the same browser as administrator.

My question is:

Is there a way to send my credentials through the js call to get the data back?

Any help would be appreciated. Thank you.

[tpr]

Add the role name (or ID) as a post data (preferable with some kind of encoding/encrypting to make it more secure). Then you can get the role in your endpoint php file and do things accordingly.

http://api.jquery.com/jquery.ajax/

[Manol]

Thank you tpr.

     That is a good idea but I think a bit dangerous if you are getting  sensible data back, it would be too easy to hack, anyway I'm going to try it right now.

[tpr]

I would use php mcrypt for example where you can use a password. To make the encrypted role available for the JS, you should add a script tag in where you create a js variable (what you place there using php).

[BitPoet]

There's no reason why this shouldn't work, and there should be no complicated tricks involved in making it work. There's something else going wrong, probably in a part of a script not shown here. Letting JS pass on information that should already be implicitly available to PHP means hiding the problem, not solving it. Usually, AJAX requests should implictly pass on the cookie if the requested page is on the same server as the page requesting it. If you can verify that the wire cookies are getting sent along, you'll have to look for something else. Did you try stripping down your getitems script to the bare minimum, then clearing the cache to make sure you don't see stale data, and introspect the data sent and received in the browser's debugger?