How can I add an .href security exception?

[Xonox]

Hi,

I really like PW's href security, however, I was having difficulties to post to an ajax call to a custom script because of it. After some trial and error, I came to the conclusion that the problem was here:

# Block access to any PHP or markup files in /site/templates/
RewriteCond %{REQUEST_URI} (^|/)(site|site-[^/]+)/templates($|/|/.*\.(php|html?|tpl|inc))$ [OR]

So after commenting this line, all was working. However I would like to keep the security, adding an exception to the following file:

 

site/templates/scripts/xcrud/xcrud_ajax.php

Is it possible to add this exception to the .href file? How can I do that?

 

Thank you.

[diogo]

Welcome to the forum!

You could of course add an exception to that file only on the href, but IMO the best way to do this is to have that file as a normal PW template and create a page with it, then, just call the page instead of the file:

example.com/utilities/xcrud (or whatever you want)

[Xonox]

Hi Diogo,

Thanks for your input. It would be a great idea, but I'm afraid it won't work for what I intend to do. The file I mentioned (xcrud_ajax.php) is called by the script itself, not by me and I want to keep the script contained, so that I don't have to keep making changes whenever I update it.

I tried to make your option work, I did some changes to the script configuration files to see if it would manage it, but to no avail. I really don't want to make changes to the script core. However I'll try to investigate a bit more that option because it might even solve a session problem I'm having with it.

Thanks.

[diogo]

You can also put the file on the root of the website and call it directly, the .href rules are prepared to bypass the index if you call an existing file (that would imply moving the script also, probably).

[Xonox]

After messing around config and php templates I finally got the script to work.

Your idea of building a template to handle the ajax call was right on! I now have the script functioning inside its own folder with the ajax calls being handled by a page that has a special template that includes the script itself.

Two big advantages:

1. No need to make changes to .href;

2. The problem that I was having with this script session was solved. I guess that calling a PW page means that the session is kept intact.

Both problems were killing me for the past two days, I can now move on!

Thanks Diogo, always nice to have some discussion about alternatives to solve problems.

Greetings from Lisbon!!

[diogo]

You're welcome!

Greeting from the stormy Porto