diff --git a/airtime_mvc/application/common/CORSHelper.php b/airtime_mvc/application/common/CORSHelper.php new file mode 100644 index 000000000..09ab45b33 --- /dev/null +++ b/airtime_mvc/application/common/CORSHelper.php @@ -0,0 +1,26 @@ +setHeader('Access-Control-Allow-Origin', '*'); + $origin = $request->getHeader('Origin'); + if (($origin != "") && + (!in_array($origin, + array("http://www.airtime.pro", + "https://www.airtime.pro", + "http://" . $_SERVER['SERVER_NAME'], + "https://" . $_SERVER['SERVER_NAME'] + )) + )) + { + //Don't allow CORS from other domains to prevent XSS. + throw new Zend_Controller_Action_Exception('Forbidden', 403); + } + } +} \ No newline at end of file diff --git a/airtime_mvc/application/controllers/BillingController.php b/airtime_mvc/application/controllers/BillingController.php index 696c69319..3d9ad8588 100644 --- a/airtime_mvc/application/controllers/BillingController.php +++ b/airtime_mvc/application/controllers/BillingController.php @@ -15,7 +15,7 @@ class BillingController extends Zend_Controller_Action { public function indexAction() { - + $this->_redirect('billing/upgrade'); } public function upgradeAction() diff --git a/airtime_mvc/application/controllers/LoginController.php b/airtime_mvc/application/controllers/LoginController.php index 7c18f5dc6..c3d9e0d89 100644 --- a/airtime_mvc/application/controllers/LoginController.php +++ b/airtime_mvc/application/controllers/LoginController.php @@ -1,6 +1,7 @@ getRequest(); + $response = $this->getResponse(); - //Allow AJAX requests from www.airtime.pro. We use this to automatically login users - //after they sign up from the microsite. - //Chrome sends the Origin header for all requests, so we whitelist the webserver's hostname as well. - $response = $this->getResponse()->setHeader('Access-Control-Allow-Origin', '*'); - $origin = $request->getHeader('Origin'); - if (($origin != "") && - (!in_array($origin, - array("http://www.airtime.pro", - "https://www.airtime.pro", - "http://" . $_SERVER['SERVER_NAME'], - "https://" . $_SERVER['SERVER_NAME'] - )) - )) - { - //Don't allow CORS from other domains to prevent XSS. - throw new Zend_Controller_Action_Exception('Forbidden', 403); - } - + //Enable AJAX requests from www.airtime.pro for the sign-in process. + CORSHelper::enableATProCrossOriginRequests($request, $response); + Application_Model_Locale::configureLocalization($request->getcookie('airtime_locale', 'en_CA')); if (Zend_Auth::getInstance()->hasIdentity()) { diff --git a/airtime_mvc/application/controllers/ShowbuilderController.php b/airtime_mvc/application/controllers/ShowbuilderController.php index 48f766018..9d7b36d49 100644 --- a/airtime_mvc/application/controllers/ShowbuilderController.php +++ b/airtime_mvc/application/controllers/ShowbuilderController.php @@ -1,5 +1,7 @@ getRequest(); - + $response = $this->getResponse(); + + //Enable AJAX requests from www.airtime.pro because the autologin during the seamless sign-up follows + //a redirect here. + CORSHelper::enableATProCrossOriginRequests($request, $response); + $baseUrl = Application_Common_OsPath::getBaseDir(); $user = Application_Model_User::GetCurrentUser(); diff --git a/airtime_mvc/public/index.php b/airtime_mvc/public/index.php index 38f607f33..8ad8856b1 100644 --- a/airtime_mvc/public/index.php +++ b/airtime_mvc/public/index.php @@ -46,6 +46,9 @@ if (file_exists('/usr/share/php/libzend-framework-php')) { //Upgrade directory set_include_path(APPLICATION_PATH . '/upgrade/' . PATH_SEPARATOR . get_include_path()); +//Common directory +set_include_path(APPLICATION_PATH . '/common/' . PATH_SEPARATOR . get_include_path()); + /** Zend_Application */ require_once 'Zend/Application.php';