feat: block direct access of ajax endpoints for guest users

baumrock · Apr 13, 2024 · 3c14dcd · 3c14dcd
1 parent 876d421
commit 3c14dcd
Showing 1 changed file with 14 additions and 5 deletions.
diff --git a/RockFrontend.module.php b/RockFrontend.module.php
@@ -465,14 +465,23 @@ protected function ajaxAddEndpoints(): void
         if (in_array($base, $added)) continue;
         $added[] = $base;
         $this->wire->addHook("/ajax/$base", function (HookEvent $event) use ($endpoint) {
-          // make htmx endpoints only available via ajax
-          // superusers are allowed to access them directly (for debugging)
-          $sudo = $this->wire->user->isSuperuser();
           $isHtmx = isset($_SERVER['HTTP_HX_REQUEST']) && $_SERVER['HTTP_HX_REQUEST'];
           $ajax = $this->wire->config->ajax || $isHtmx;
 
-          if (!$ajax and $sudo) return $this->ajaxDebug($endpoint);
-          else return $this->ajaxPublic($endpoint);
+          // ajax or no ajax?
+          if (!$ajax) {
+            // show debug screen for pw superusers
+            if ($this->wire->user->isSuperuser()) {
+              return $this->ajaxDebug($endpoint);
+            } else {
+              // guest and no ajax: no access!
+              http_response_code(403);
+              return "Access Denied";
+            }
+          } else {
+            // render public endpoint (ajax response)
+            return $this->ajaxPublic($endpoint);
+          }
         });
       }
     }