Hi,
Nice module.
I've tested this with the latest versions of Anynchronous, Page Renderer and Chrysalis theme.
To replicate on a fresh Drupal install: from the front page, as anonymous user, click on a link that goes to a restricted area of the website (eg. 'administration section').
Asynchronous should display the access denied page, instead it leaves the current page intact and only updates the url (so when you hit refresh you will actually get to the desired, denied, section).

Cheers

CommentFileSizeAuthor
#7 async_display_access_denied_1.patch874 bytesandreiashu
#1 async_display_access_denied.patch791 bytesandreiashu

Comments

andreiashu’s picture

andreiashu commented
Assigned: Unassigned » andreiashu
StatusFileSize
new async_display_access_denied.patch791 bytes

And here is the patch :)

andreiashu’s picture

andreiashu commented
Status: Active » Needs review
recidive’s picture

recidive commented

Hello andreiashu,

I'm glad you like the module.

Your patch looks good. Just a few questions:

+          var data = eval("(" + xhr.responseText + ")");

Is this the best way to parse json in jquery?

+          // silently fail ???

Maybe we should add a simple alert() saying some error ocurred for now?

Thank you.

andreiashu’s picture

andreiashu commented
Status: Needs review » Needs work

Hi recidive,
this

+          var data = eval("(" + xhr.responseText + ")");

was taken (and adapted) from jQuery's source code (version 1.3.2 line 3724):

			if ( type == "json" )
				data = window["eval"]("(" + data + ")");

So this is the same as doing $.ajax request of type json.

That being said, a little bit of more research I found out this: http://www.json.org/js.html:

To convert a JSON text into an object, you can use the eval() function. eval() invokes the JavaScript compiler. Since JSON is a proper subset of JavaScript, the compiler will correctly parse the text and produce an object structure. The text must be wrapped in parens to avoid tripping on an ambiguity in JavaScript's syntax.

var myObject = eval('(' + myJSONtext + ')');
The eval function is very fast. However, it can compile and execute any JavaScript program, so there can be security issues. The use of eval is indicated when the source is trusted and competent. It is much safer to use a JSON parser. In web applications over XMLHttpRequest, communication is permitted only to the same origin that provide that page, so it is trusted. But it might not be competent. If the server is not rigorous in its JSON encoding, or if it does not scrupulously validate all of its inputs, then it could deliver invalid JSON text that could be carrying dangerous script. The eval function would execute the script, unleashing its malice.

To defend against this, a JSON parser should be used. A JSON parser will recognize only JSON text, rejecting all scripts. In browsers that provide native JSON support, JSON parsers are also much faster than eval. It is expected that native JSON support will be included in the next ECMAScript standard.

Even that json.org says that eval is not safe, in our case it is "safe" enough. If someone gets to inject JS on the server side then we have bigger problems anyway.

Maybe we should add a simple alert() saying some error ocurred for now?

I think that maybe having the "Loading..." message at the top of the page saying something like "We're sorry, an error occured. Please try to refresh your page" might be better :)

Cheers

recidive’s picture

recidive commented

Hello,

"Even that json.org says that eval is not safe, in our case it is "safe" enough. If someone gets to inject JS on the server side then we have bigger problems anyway."

Fair enough :)

"I think that maybe having the "Loading..." message at the top of the page saying something like "We're sorry, an error occured. Please try to refresh your page" might be better :)"

Sure, anything now will do the trick, in the long run we may want to provide some functions to modify the "Loading..." message.

Can I assume you're working on the patch? Looking forward to commit it ;)

andreiashu’s picture

andreiashu commented

Yes,
I'll resubmit this night or tomorrow another patch :)

cheers

andreiashu’s picture

andreiashu commented
Status: Needs work » Needs review
StatusFileSize
new async_display_access_denied_1.patch874 bytes

Here it is.

Cheers

recidive’s picture

recidive commented
Status: Needs review » Fixed

Commited a slight modified version of the patch.

Added an alert for now, as the error was being added to the bottom of the page. Added some notes that we need a better error reporting tool.

Thank you very much!

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.