没有登录的情况下在Magento的管理中自定义控制器?
没有登录的情况下在Magento的管理中自定义控制器?
提问于 2015-01-29 14:20:08
我正在尝试覆盖Adminhtml的IndexController,以下是源码:
class T2_AjaxAdmin_Adminhtml_IndexController extends Mage_Adminhtml_IndexController
{
/**
* Administrator ajax login action
*/
public function ajaxAction()
{
$jsonData = array();
$this->getResponse()->setHeader('Content-type', 'application/json');
$this->getResponse()->setBody(Mage::helper('core')->jsonEncode($jsonData));
exit();
}
}我的配置文件
<?xml version="1.0"?>
<config>
<admin>
<routers>
<adminhtml>
<args>
<modules>
<T2_AjaxAdmin before="Mage_Adminhtml">T2_AjaxAdmin_Adminhtml</T2_AjaxAdmin>
</modules>
</args>
</adminhtml>
</routers>
</admin>
</config>我刚刚发现,从Adminhtml扩展的任何控制器都会首先重定向到登录页面。
我该怎么做才能防止这种情况发生?
回答 1
Stack Overflow用户
回答已采纳
发布于 2015-01-29 18:39:05
您可能必须查看app/code/core/Mage/Admin/Model/Observer.php,它可能会限制“打开操作”的列表(未登录)。
您必须查看一下第51行:
$requestedActionName = $request->getActionName();
$openActions = array(
'forgotpassword',
'resetpassword',
'resetpasswordpost',
'logout',
'refresh' // captcha refresh
);
if (in_array($requestedActionName, $openActions)) {
$request->setDispatched(true);
}在同一文件的后面,他们还检查参数forwarded,因此基于该参数,您可以欺骗Magento并访问我们的控制器,而无需登录。
所以我刚刚为你做了一个检查,这是我这边的工作:
class B_Enoit_TestController extends Mage_Adminhtml_Controller_Action
{
public function preDispatch ()
{
Mage::app ()->getRequest ()->setParam ( 'forwarded', true );
return parent::preDispatch ();
}
public function indexAction ()
{
die ( 'I am in without login' );
}
}因此,您必须知道,这只是基于此文件app/code/core/Mage/Admin/Model/Observer.php的内容的一个旁路
深入了解:
public function actionPreDispatchAdmin($observer)
{
// some code I omit for shorten purpose
$request = Mage::app()->getRequest();
$user = $session->getUser();
$requestedActionName = $request->getActionName();
$openActions = array(
'forgotpassword',
'resetpassword',
'resetpasswordpost',
'logout',
'refresh' // captcha refresh
);
// so this test the current action against the list of open actions, which don't have to redirect to login, as seen above
if (in_array($requestedActionName, $openActions)) {
$request->setDispatched(true);
} else {
if($user) {
$user->reload();
}
// So after reloading the user, it checks if this admin user really exists
if (!$user || !$user->getId()) {
// this below condition test if we come from the login page and if we are currently trying to log in
if ($request->getPost('login')) {
// some code I omit for shorten purpose
}
// This test the query param forwarded so it is from reading this line that I created my working example
if (!$request->getParam('forwarded')) {
// some code I omit for shorten purpose
}
}
}
$session->refreshAcl();
}看起来他们把它放在了通过json或ajax访问管理数据的地方,就像你正在尝试做的那样,所以我认为这是适合你的方式。您必须理解,控制器的preDispatch中的Mage::app ()->getRequest ()->setParam ('param','value')就像是伪装来将其作为查询参数传递。
实际上,如果你试图像这样访问一个控制器:
class B_Enoit_TestController extends Mage_Adminhtml_Controller_Action
{
public function indexAction ()
{
die ( 'I am in without login' );
}
}通过url http://www.example.com/admin/test/index/forwarded/1/,它将工作,它不会将您重定向到登录,即使它扩展了Mage_Adminhtml_Controller_Action
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/28208164
复制相关文章
相似问题