Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.




  • Options
    edited April 2010
    @eleith thanks! I also have a question, perhaps you or someone knows the answer so I'll just throw it in here rather than creating a new thread.

    If I have a php page, which is outside of the vanilla2/garden framework. is there a way to check to see if the visitor is logged into the the website forum and if so display something like "hello username!"? I looked into single sign on integration, but I dont really have another application I'm trying to integrate with per se. Any feedback is much appreciated.
  • Options
    if your forum is on another domain than your php page and you don't have single sign on integration, then the answer is no. (or it might be possible but not without complex cross domain setups)

    if your php page is just on another subdomain, then you can have the vanilla cookie set itself to the "" (a dot before the domain, can be set in the config file) such that the cookie will be visible across all subdomains, and you can use the /api/session call while passing through the vanilla session cookie to /api/session for verification.
  • Options
    @eleith makes sense. It is on the same domain, so I'll get to work on this and try to figure it out. Thanks again for your help and the API, it has really gone a long way in helping me figure this out.
  • Options
    @eleith can you double check the comment/add, please. I keep getting "You do not have credentials to post as this user" even though everything being submitted for the logged in user is correct.
  • Options
    i'll give it a shot next chance i get.

    i know for sure discussion/add works, so can you try that? if you can get it working, then i'll be convinced your authentication through proxy works, and will fix comment/add asap.

    if it doesn't work for you, then the transient key you are passing to the api is incorrect.
  • Options
    edited April 2010
    Hmmm no doesn't seem to work, even if I hardcode the transient key in. Perhaps I'm missing something from the form (its been a long day)

    form action="" method="post">
    input type="hidden" id="CategoryID" name="CategoryID" value="1" />
    input type="hidden" id="Name" name="Name" value="<?php echo $name; ?>" />
    input type="hidden" id="TransientKey" name="TransientKey" value="<?php echo $key; ?>" />
    textarea id="Body" name="Body">
    input name="" type="submit" />

    both $name and $key come back as per the info in api/session. removed the opening < as it wouldnt let me post the code.
  • Options
    oh, that's my fault. actually, the field names need to be renamed as follows:


    i kept it this way (it's like this for vanilla originally), because i just reused the validation models internal to vanilla and did not want to rewrite my own.

    try again and let me know. i imagine for the comment/add, you'll need to replace Discussion with Comment (but again, i haven't verified)
  • Options
    that fixed it, working great now! thanks!
  • Options
    edited April 2010
    @eleith any idea if the variables can be passed to the api through the jquery $.ajax() ? or would curl work better?
  • Options
    if the page is on the exact same domain as your forums, then yes. however, if you are running the page on a subdomain, that will not work because ajax calls can not cross domains even if subdomain, http/https, or port numbers change.
  • Options
    what would, in your opinion, be the best course of action of passing the variables to the api/comment/add when the forums are in a subdomain? (comments being posted on while the api is at

    submitting a form directly to api/comment/add does work and the comment is posted, but then the user is looking at the api output when instead they should be redirected back to the page with the comments. Not sure if there is a workaround for that.
  • Options
    this is the situation i have as well. i haven't analyzed what would be best, i just focused on getting something working.

    i use only ajax calls. my ajax calls makes request to pages living on the same subdomain, and this controller proxies these request to the forums which live on another subdomain and then return the results through the ajax request.

    this way, my users can interact with the forum, without ever leaving the service. (i use the forum in a get satisfaction type plugin i wrote for the service).

    in the end, it's about what is best for your users. for mine, they are using a service, they don't want to be perusing a forum, just interact with it at times when they want to leave feedback about the service.
  • Options
    anyway the data can be passed to the api as a string? ex: Comment/DiscussionID=1&Comment/CategoryID=1&Comment/Name=Name&Comment/TransientKey=123456&Comment/Body=textgoeshere

    or will that require rewriting the validation models?
  • Options
    you want to do a GET instead of a POST.

    since i'm using the vanilla's validation models, the answer is no. you could replace _POST with _GET, or add a check on _GET in their validation postback method, but i wouldn't recommend it.

    in general, you want to use POST when it changes things on the server, and POST has no limits on message passing like GET does, which is needed for things like passing the body of a comment.

    if you write a proxy, you could have your php proxy page do the post, but then only require a GET when using ajax to proxy your request.
  • Options
    Well thats the issue that I'm having with my proxy page, I can't seem to get it to do a post to the api, keeps returning "You do not have credentials to post as this user" for me. I guess I'll keep playing with it.
  • Options
    paste some sample code, and i can take a look at it.
  • Options
    edited April 2010
    this is what im currently experimenting with, but not sure if its the right direction. my php skills are a bit ancient :)

    //extract data from the post

    //set POST variables
    $url = '';
    $fields = array(

    //url-ify the data for the POST
    foreach($fields as $key=>$value) { $fields_string .= $key.'='.$value.'&'; }

    //open connection
    $ch = curl_init();

    //set the url, number of POST vars, POST data

    //execute post
    $result = curl_exec($ch);

    //close connection

    Basically I've been trying to post the variables to the api through cURL
  • Options
    even though you have a transient key, you'll still need to make the post as the user (transient key is used only to protect cross site scripting attacks).

    so you'll want to capture either your services user cookie/session, or the vanilla cookie session and then run:

    //sets header of request to contain the cookies in $cookie_string
    curl_setopt($ch, CURLOPT_COOKIE, $cookie_string)

    when executing this, the api should then be able to validate the user by the cookie, and then validate the use of the api by the transient key, and this should get you around the problems you ran into.
  • Options
    that works! thats exactly what I was missing. thanks @eleith you're a life saver!
  • Options
    i actually like your idea of using vanilla as a repository of comments. how are you setting it up? one category for everything, and then one discussion per article in your system, and the threads are just comments in that discussion?
Sign In or Register to comment.