Policy Automation for B2C Service

Get Involved. Join the Conversation.

Topic

    Alastair Calderwood
    Custom control with ajax callbackAnswered
    Topic posted June 20, 2016 by Alastair CalderwoodGreen Ribbon: 100+ Points, last edited June 20, 2016 
    230 Views, 2 Comments
    Title:
    Custom control with ajax callback
    Content:

    I have created a PHP custom control with 2 fields and a button to retrieve a LOV from SvC and add it to a dropdown on screen. The data retrieval is via an ajax callback to another PHP class using GET. When tested standalone, the ajax "success" callback option executes and the dropdown is populated and this works in both Development and Production mode. However when added to OPA as a custom control, the control displays but the ajax "error" callback is executed. The text of the error is "Internal Server Error".

    Is there any security restriction on the use of ajax callbacks in OPA custom controls?

    Is there a way to log debug info / stack trace of the error in Production mode? I have tried to use FirePHP but this is not permitted on SvC.

    The relevant ajax code is attached.

    Thanks!

    Version:
    OPA 12 - May 2016
    Code Snippet:

    Best Comment

    Scott Berry

    The problem is that the script returned is not supplying a fully qualified URL, only "EmailControlAjax", so when the interview screen renders the page the javascript is making a GET request to https://[your site]/[opa web-determinations]/investigate/[deployment name]/[language]/EmailControlAjax which obviously isn't correct.

    You could fix the URL, but I would instead minimise the number of calls between OPA and OSvC by implementing the data retrieval in your php file, because at the moment it is going OPA -> POST data to OSvC custom control URL -> return php with javascript script -> script calls back to OSvC -> return data to OPA and render.

    But lastly, and this is may block what you're attempting to do, calls to custom controls aren't secured by OSvC's authentication, so if your php return all the emails of a particular Contact just by supplying the Contact's ID, then anybody could similarly send a POST request to that URL with a range of Contact ID's and get a nice collection of email addresses. The request isn't sent within the context of Service Cloud session or its authentication.

    Comment

     

    • Scott Berry

      The problem is that the script returned is not supplying a fully qualified URL, only "EmailControlAjax", so when the interview screen renders the page the javascript is making a GET request to https://[your site]/[opa web-determinations]/investigate/[deployment name]/[language]/EmailControlAjax which obviously isn't correct.

      You could fix the URL, but I would instead minimise the number of calls between OPA and OSvC by implementing the data retrieval in your php file, because at the moment it is going OPA -> POST data to OSvC custom control URL -> return php with javascript script -> script calls back to OSvC -> return data to OPA and render.

      But lastly, and this is may block what you're attempting to do, calls to custom controls aren't secured by OSvC's authentication, so if your php return all the emails of a particular Contact just by supplying the Contact's ID, then anybody could similarly send a POST request to that URL with a range of Contact ID's and get a nice collection of email addresses. The request isn't sent within the context of Service Cloud session or its authentication.

    • Alastair Calderwood

      Many thanks, this was indeed the issue. Security was not a problem in this case - an access control header was sufficient - but could be in future projects. Basic authentication would be a useful feature for OSvC.