Ajax called files inside templates folder

[manlio]

Hi! I have a stupid question.

Usually I leave ajax called files outside PW, but in the case I wanna leave them in the templates folder which is the best approach to use?

Is it safe to create a unique template that can be associated for every ajax called file (for example based on template (sanitized) title)?

Just to explain it better, I could create a template  like (simplified version)

$path = $page->title;
$include ("$path");

and create a new page with this template for every ajax called script (changing accordingly the title).

Tthank you!

[Tom.]

Hello, 

I suppose there loads of ways of doing this, and it mostly comes down to person preference. I usually create a template called Ajax then give the template the ability to use segments, I use segment 1 for the group and segment 2 for the action, the rest I use GET. 

Then each action can live in an Ajax folder. The ajax.php will look like:

if($input->urlSegment1 == "users") {
	if($input->urlSegment2 == "get") {
		wireIncludeFile("ajax/users/get", ["id" => $input->get->id]);
	}
	if($input->urlSegement2 == "update") {
		wireIncludeFile("ajax/users/update", ["id" => $input->get->id, "email" => $input->get->email]);
	}
}

Then in ajax/users/get.php for example I do:

return $users->get($id);

Ajax request will be to the url domain.com/ajax/users/get/?id=1039 for example

Not sure if I'm answering your question here.

[manlio]

Thank you Tom, partially you replied to my question   because I learned a new interesting approach. Thanks!

I think would be useful also to see other approaches.

For my specific question, do someone think it is a safety issue?

Thanks

 

[Tom.]

19 minutes ago, manlio said:

Thank you Tom, partially you replied to my question   because I learned a new interesting approach. Thanks!

I think would be useful also to see other approaches.

For my specific question, do someone think it is a safety issue?

Thanks

 

I personally haven't had any issues, just make sure you do the standard checks that are built into ProcessWire's API https://processwire.com/api/ref/sanitizer/ also make sure you do permission checks such as updating a user:

$u = $users->get($id);
if($user == $u) {
	// Do stuff here
} else {
	// You don't have permission to edit this user
}

If for example you have profile pages which are a page, you will have a Page Reference field that will store the user then you can do:

$p = $pages->find("template=profile, user=$user");
$p->of(false);
if($location) {
	$p->location = $sanitizer->text($location); 
}
$p->save();

And the update will be url will be: 

domain.com/users/update/?location=England

In the ajax.php file you don't want to pass $user as this is built in however you do want to pass location:

if($input->urlSegment1 == "users") {
	if($input->urlSegment2 == "get") {
		wireIncludeFile("ajax/users/get", ["id" => $input->get->id]);
	}
	if($input->urlSegement2 == "update") {
		wireIncludeFile("ajax/users/update", ["location" => $input->get->location]);
	}
}

 

EDIT: 

Sorry, I didn't consider if you was using AJAX externally (websites on a different server), you will probably want some external authentication checks you can create fields for Users I would create a field called auth, salt the username and password then you can do a check on username and password salt and if it matches select that user as active $ajaxUser = $users->find("auth=$salt);
 

[manlio]

Thank you Tom, I am on the same server so no problem.