Again, as I've tried to explain many times already, $_REQUEST['HTTP_MODAUTH'] == 0 is wrong (this should be the proper value) and that is the problem to be solved.
Jason, what for we need $_SERVER['HTTP_MODAUTH']? We can just send request header via AJAX. It`s not correct for security.
Quote from: opengeek at Sep 12, 2013, 02:00 PMAgain, as I've tried to explain many times already, $_REQUEST['HTTP_MODAUTH'] == 0 is wrong (this should be the proper value) and that is the problem to be solved.
I understand it, but for some reason $_SESSION['modx.mgr.user.token'] gets the value 0. And system "not understand" that session is expired, and we not unloged, and some time got Access denied error.
-
- 35 Posts
before those lines:
/* handle request */
$path = $modx->getOption('processorsPath',$modx->gallery->config,$galleryCorePath.'processors/');
Quote from: pawelmil at Sep 16, 2013, 07:50 AMbefore those lines:
/* handle request */
$path = $modx->getOption('processorsPath',$modx->gallery->config,$galleryCorePath.'processors/');
You also may do this: in /core/model/modx/modconnectorresponse.php
replace $siteId = $this->modx->user->getUserToken($this->modx->context->get('key')); with
$_SERVER['HTTP_MODAUTH'] = $siteId = $this->modx->user->getUserToken($this->modx->context->get('key'));
It`s really not good, but not less good that insert this in many connectors.
Quote from: tillilab at Sep 16, 2013, 10:17 AMQuote from: Fi1osof at Sep 16, 2013, 08:23 AM
You also may do this: in /core/model/modx/modconnectorresponse.php
replace $siteId = $this->modx->user->getUserToken($this->modx->context->get('key')); with
$_SERVER['HTTP_MODAUTH'] = $siteId = $this->modx->user->getUserToken($this->modx->context->get('key'));
It`s really not good, but not less good that insert this in many connectors.
This fix the problem also when uploading files? i.e. from Tinymce or from a tv.
Thanks
From all, cause all connectors uses modConnectorResponse.
By doing this, you are basically disabling all security checks on your site. If the validation that is supposed to be checked to ensure you have a valid request is bypassed by setting it server side on every request, you are circumventing MODX security.
If someone cares to explore why the value being sent in the REQUEST is getting set to 0 in these environments, we can start to address the actual problem being experienced here.