Suppressing “command line API” error messages (AJAX/XHR)

[Jan Romero]

Hi. This is kind of a dumb question, but I’ve been searching for days and couldn’t find an answer.

I’m using an XMLHttpRequest to fetch some JSON from a page. This works as expected as long as I don’t send the header X-Requested-With: XMLHttpRequest. With the header, ProcessWire decides that I’m using the command line API and if something goes wrong, it shows detailed error messages to guest users (“This error message was shown because: you are using the command line API”). I appreciate that when debugging, but it would be nice if I could limit it to just superusers. Is there a setting for this?

Thanks

[horst]

I don't think that there is a setting for only-for-superusers under CLI, as CLI itself only is for superusers.

Maybe you can hook into error logging and fiddle that in?

[Jan Romero]

18 hours ago, horst said:

CLI itself only is for superusers

But ProcessWire’s WireShutdown class considers everything hitting it with X-Requested-With: XMLHttpRequest to be CLI use. The way I see it, from a security perspective that makes the differentiation between public and detailed error messages completely useless: if you’re shown the public error, you can just resend the request with the header and any PW installation will gladly tell all.

It kinda didn’t occur to me to even look through the source, because I figured something like this would have a prominent setting somewhere, but now I think it just might be a bug?

WireShutdown does this:

$useHTML = isset($_SERVER['HTTP_HOST']); // is this an HTTP request where we can output HTML?

[…]

// use text-only output if an http request that is ajax
if($useHTML && $config->ajax) $useHTML = false;

[…]

if($config->debug) {
	$why = $this->labels['debug-mode'] . " (\$config->debug = true; => /site/config.php).";
} else if(!$useHTML) {
	$why = $this->labels['cli-mode'];
}

[…]

if($why) {
	$why = $this->labels['shown-because'] . " $why $who";
	$message = $this->amendErrorMessage($message);
	$this->sendErrorMessage($message, $why, $useHTML);
} else {
	$this->sendFatalError($who, $useHTML);
}

So for this purpose, sending two headers in your request is essentially equivalent to the site being in debug mode. That can’t be right?

[Robin S]

13 hours ago, Jan Romero said:

now I think it just might be a bug?

I think you should open an issue for this at GitHub. In WireShutdown the combination of...

// use text-only output if an http request that is ajax
if($useHTML && $config->ajax) $useHTML = false;

...and...

} else if(!$useHTML) {
	$why = $this->labels['cli-mode'];
}

...means that every AJAX request is wrongly treated as being CLI mode.

[Jan Romero]

@Robin S Thanks for confirming that! I submitted an issue and a PR I’m not too sure about. https://github.com/processwire/processwire-issues/issues/1143