fix(views): prevent direct calls to an ajax view

fixes #4959
Elgg · Apr 11, 2015 · 3b5993b · 3b5993b
1 parent 251022f
commit 3b5993b
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 0 deletions.
diff --git a/engine/lib/elgglib.php b/engine/lib/elgglib.php
@@ -1474,6 +1474,12 @@ function _elgg_js_page_handler($page) {
  * @access private
  */
 function _elgg_ajax_page_handler($page) {
+	// the ajax page handler should only be called from an xhr
+	if (!elgg_is_xhr()) {
+		register_error(_elgg_services()->translator->translate('ajax:not_is_xhr'));
+		forward(null, '400');
+	}
+
 	if (is_array($page) && sizeof($page)) {
 		// throw away 'view' and form the view name
 		unset($page[0]);

diff --git a/languages/en.php b/languages/en.php
@@ -41,6 +41,7 @@
 	'actionunauthorized' => 'You are unauthorized to perform this action',
 
 	'ajax:error' => 'Unexpected error while performing an AJAX call. Maybe the connection to the server is lost.',
+	'ajax:not_is_xhr' => 'You cannot access AJAX views directly',
 
 	'PluginException:MisconfiguredPlugin' => "%s (guid: %s) is a misconfigured plugin. It has been disabled. Please search the Elgg wiki for possible causes (http://learn.elgg.org/).",
 	'PluginException:CannotStart' => '%s (guid: %s) cannot start and has been deactivated.  Reason: %s',