5

I'm trying to build some CRM tools that send emails to my sales guys and link back to pages inside the Magento Admin. I've been building the URLS like this:

Mage::getUrl('*/quotes/edit', array('id'=>$quote->getQuoteId(), '_current'=>true))

The problem is it only sends them to the dashboard. I'm assuming it is because the setting for "_current" is changed when they login, thus invalidating the link and sending them to the default page. Any ideas on how I could make a link into the Admin that doesn't include the session in the url?

Chris
  • 1,731
  • 3
  • 24
  • 38
  • 1
    security keys fail and you end up in dashboard – Anton S Apr 21 '11 at 14:57
  • @Anton S right.. I'm trying to figure out how to append the security keys.. is there a way to do that? – Chris Apr 21 '11 at 15:24
  • sure that you can disable the security token , however i bet you can't fake it in e-mail content and you have to fix the _current stuff – Anton S Apr 21 '11 at 20:56
  • A possible alternative tactic would be to create a frontend controller that simply bounces visitors to the admin page. That way the current security key might be appended automatically, otherwise the new controller needs to be admin and override the `preDispatch` where the keys are checked. To keep things safe the URL emailed to staff should include a one-use token. I have no idea if this is possible. – clockworkgeek Apr 22 '11 at 17:21
  • @clockworkgeek - I've been trying to do exactly what you suggested and I'm getting no joy. I can get it to redirect, but for some reason the key that is created is different from the one that should get them to the right URL. It's puzzling. I'll probably end up disabling the security key as suggested below. – Chris Apr 26 '11 at 01:32

2 Answers2

4

I came up with the following that turns off the secret key based on the action name:

public function preDispatch()
{ 
     if ($this->getRequest()->getActionName() == 'update') Mage::getSingleton('adminhtml/url')->turnOffSecretKey();
     parent::preDispatch();
}

Tested in ver 1.6.2.0. Paste that in your controller, don't forget to change the action name 'update' to yours or remove the if statement to effect for all actions within your controller.

kiatng
  • 2,847
  • 32
  • 39
2

Disabling secret key from admin URLs should solve your problem.

To disable secret key from admin URLs:-

  • Login to admin
  • Go to System -> Configuration -> ADVANCED -> Admin -> Security -> Add Secret Key to URLs
  • Select No
  • Save Config
Mukesh Chapagain
  • 25,063
  • 15
  • 119
  • 120
  • are there any real security concerns from disabling this feature? I mean what does the secret key on the URLs really gain for me? – Chris Apr 22 '11 at 11:08
  • 4
    Magento says that it has added secret key to URL for CSRF (Cross-site request forgery) Attack Prevention. You may learn more about CSRF here:- http://en.wikipedia.org/wiki/Cross-site_request_forgery – Mukesh Chapagain Apr 22 '11 at 11:20
  • 5
    actually Magento is REST so providing a link to delete all customers to your salesman would do a very nasty joke for the business – Anton S Apr 24 '11 at 08:30