Forum Discussion

sguillemot's avatar
sguillemot
Contributor
11 years ago

Recreate Contact ME Buttons

Hi Community !

 

Context:

 

I tried to recreate with the Freemakers and the REST API, the buttons we can find in the users.widget.contact-me component. I need some of these buttons to use them in a custom one.

 

If I take the Add Friends button as an example. The link structure is the following :

/t5/user/v2/viewprofilepage.addfriend/user-id/7?t:ac=user-id/7&t:cp=notes/contributions/contactactions&ticket=O-E-OfblJ14j_5

 

I see 4 elements:

  • /t5/user/v2/viewprofilepage.addfriend/user-id/n
  • t:ac=user-id/n
  • t:cp=notes/contributions/contactactions
  • ticket=x

 

Where [n] is the User ID. I find it in the Freemarkers context :

  • ${page.context.user.id} or ${user.id}, depending on the page context

 

Where [x] is the ticket string.

 

 

My question:

 

Where can I call the [x] variable? How to generate it?

 

I didn’t find anything concerning this ticket string in the doc and in the community posts (nothing inside the REST API or Freemarkers docs).

 

I only found a Session ID string in the REST API:

  • /restapi/vc/authentication/sessions/current/id (link here)
  • It seems that it’s not the same string type than the ticket

 

Other "discovery", about this REST call (Post):

  • /restapi/vc/users/id/5/addressbook/contacts/friends/add (link here)
  • But I can’t create a link with this call… I can only create an action (AJAX post ?)
    • I’m not a fan of this solution: the session ID would be reachable by anyone...

 

Maybe I'm doing wrong? Beforehand, thank you for your help and your lights ! :smileyhappy:

 

Best regards,

 

Stéphane

3 Replies

Sort By
  • YuriK's avatar
    YuriK
    Khoros Expert
    11 years ago

    Hey Stéphane,

     

    The token (ticket) is there to prevent Cross-Site Request Forgery (Wikipedia: Cross-site request forgery). We don't currently have a way to generate or retrieve the ticket. The Session ID represents a Rest API session specifying the authenticated user.

     

    I think you have a few options to move forward with depending on your use case:

     

    1. Use skinning to achieve what you want: You may be able to use our default component but adjust it using CSS and possibly some light javascript
    2. Use the AJAX approach with Rest API as you mentioned below: We have a configuration that allows you to use our cookie-based authentication for API calls (Rest API Authentication). This way you won't have to deal with the Session ID. Note: You would want to make sure to test this thoroughly and get this implementation reviewed by security so that you are not creating any CSRF vulnerabilities.
    3. Create a custom component that references the users.widgets.contact-me component (Take a look at the referencing a component section of Working with components). You can then hide other portions of the contact-me component contained in your component using css.

     

    Hope this helps,

     

    Yuri

  • sguillemot's avatar
    sguillemot
    Contributor
    11 years ago

    Hi YuriK ,

     

    Thank you for your answer.

     

    Indeed, I already thought about these solutions. And for the security reasons, I'm not comfortable with the cookie too... :smileysurprised:

     

    I managed to recreate the ticket via JS. I saw that an hidden input always contains this ticket value:

    <input type="hidden" name="ticket" value="xxxxxxxxx">

     

    So, with jQuery :

     

    theTicket = jQuery('input[name=ticket]').attr('value');
    theLink = jQuery('.addtoFriendBut');
    theLink.attr('href',theLink.attr('href')+theTicket);

     

    With the HTML / Freemarker part :

    <a class="addtoFriendBut" href="/t5/user/v2/viewprofilepage.addfriend/user-id/${page.context.user.id}?t:ac=user-id/${page.context.user.id}&t:cp=notes/contributions/contactactions&ticket=">ADD ME !!!</a>

     

    Not optimum because of the JS... but maybe it can help... :)

     

     

    Best regards,

     

    Stéphane

  • YuriK's avatar
    YuriK
    Khoros Expert
    11 years ago

    Hey Stéphane,

     

    Thank you for sharing, glad you found something that worked for you.

     

    Thank you,

     

    Yuri