Using Gila CMS as a back-end service

Vasilis Zoumpourlis — Tue, 21 Apr 2020 09:40:05 +0000

Gila CMS is a content management solution I am building the last few years. It started as an open source project that would give the ability to small businesses to build customized and flexible applications.

One of the advantages is that Gila also works as a headless cms. In this article I will show you how you can create a new database table and how to use the data in your web application. The examples will be shown with the axios library.

To continue you need Gila CMS installed on your server. In the administration menu, go to Administration->Settings and set Environment to "Development", so you can make changes in your code and they apply directly.

The first thing to do is create a new package to add our code. Inside the src folder create a new folder my-movies. Inside the my-movies add the following four files:
package.json
tables/movie.php
load.php
update.php

package.json

{
  "name": "My Movies Package",
  "version": "1.0.0",
  "description": "Adds a table to store your favorite movies"
}

tables/movie.php
In this schema note the permissions attribute: By default, all permissions require the admin user role, but for the read permission we set value true, so the data can be read from axios without a logged in user. More information about table schema you can find in documentation

<?php

return [
  "name"=> "movie",
  "tools"=> ["add"],
  "commands"=> ["edit","delete"],
  "permissions"=>[
      "read"=>true
  ],
  "fields"=> [
  "id"=> [
      "edit"=> "false"
    ],
    "title"=> [
      "qtype"=> "VARCHAR(120)"
    ],
    "score"=> [
      "type"=> "select",
      "options"=> [1=>"1",2=>"2",3=>"3",4=>"4",5=>"5"],
      "qtype"=> "TINYINT DEFAULT 1"
    ],
    "poster"=> [
      "type"=> "media",
      "qtype"=> "VARCHAR(120)"
    ]
  ]
];

load.php

<?php

Gila::content('movie', 'my-movies/tables/movie.php');
Gila::amenu_child('content', ['My Movies','admin/content/movie','icon'=>'play','access'=>'admin']);

update.php
This file runs in activation of the package and will create the table in the database for us

<?php

Gila::content('movie', 'my-movies/tables/movie.php');
$gtable = new gTable('movie');
$gtable->update();

After you have all files in place, you go to /admin/packages and activate the package My Movies

Then in the administration go to Content->My Movies and you will see the new table with the button "+New" to add your movies. Here is a screenshot with a few registries.

Now the data that you add in the table, you can get them from your app with ajax requests or promises. If your app runs from a different domain of Gila website you have to set the cors in config.php:

...
"cors"=> [
  0=> 'https://my-app-domain.com'
]
...

Axios requests

Get all movies

axios.get('/cm/list/movie').then(function (response) {
  console.log(response);
})

Response

[
    {
        "id": "3",
        "title": "Captain America: Civil War",
        "score": "4",
        "poster": "assets/movies/captainamericacivilwar_lob_crd_01_9.jpg"
    },
    {
        "id": "2",
        "title": "Ant-Man",
        "score": "3",
        "poster": "assets/movies/ant-man_lob_crd_01_8.jpg"
    },
    {
        "id": "1",
        "title": "Troy",
        "score": "2",
        "poster": "assets/Troy.jpg"
    }
]

Get movie by id

axios.get('/cm/list/movie?id=2').then(function (response) {
  console.log(response);
})

Search movies

axios.get('/cm/list/movie?search=Man').then(function (response) {
  console.log(response);
})

Get movies with score greater than 3, and ordered by title

axios.get('/cm/list/movie?score[gt]=3&orderby[title]=ASC').then(function (response) {
  console.log(response);
})

Get only title and poster of the movies

axios.get('/cm/list/movie?select[]=title&select[]=poster').then(function (response) {
  console.log(response);
})

More information for the /cm endpoint and its parameters you can find in documentation pages.

Secure better your website with SameSite cookies

Vasilis Zoumpourlis — Mon, 11 Nov 2019 05:39:03 +0000

Cross-site request forgery (CSRF) attacks is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts.

Let's see the following example: You have an endpoint that updates a user: mysite.com/user/update/2

The new data should come from a POST method, so if you open the endpoint from a link, the update will not happen because the request method in this case is GET. But someone could build this simple html file:

This index.html can be placed in any website (like clickhereandseewhathappens.com), and the link is send it to the website administrator with an email. When the administrator opens this html in the browser, the form will be submited to mysite.com and the user will be updated.

This will happen because the sessionId cookie of the user will be sent to the server and the application understands that this request was made from the administrator.

The SameSite is a cookie key that tells browser to send the cookie value to the server only when the request is made from the same domain of the website.

For example, when you dont want to sent the cookie from a different url.

mycookie=value; expires=Wen, 1 Jan 2019 12:00:00 UTC; path=/; SameSite=Strict

When you want to send it with simple links (GET method) but not with POST/PUT/DELETE etc

mycookie=value; expires=Wen, 1 Jan 2019 12:00:00 UTC; path=/; SameSite=Lax

The default scenario is to sent it always.

This feature is already supported from all major browsers https://caniuse.com/#feat=same-site-cookie-attribute

So this is an extra layer of security for your website and very easy to implement.

To create a samesite cookie with php:

header("Set-cookie: mycookie=value; path=/; HttpOnly; SameSite=Lax");

From php 7.3 you can use setcookie function with the options (8th) parameter:

setcookie('mycookie', 'value', time()+86400, '/', null, null, true, ['samesite'=>'Strict']);

Note: the above examples also adds the HttpOnly key for the cookie, that key prevents from your javascript to access the value of your cookie. So even you have a XSS script run in your website, it wont be able to see the cookie's value.

To set the expiration date with header() you must print date with the expected format

$expire = date('D, d M Y H:i:s', time() + (86400 * 30)); // one month from now
header("Set-cookie: mycookie=value; expires=$expire; path=/; HttpOnly; SameSite=Lax");

DEV Community: Vasilis Zoumpourlis