First off, as stated in the dhtmlx connector-documentation, " … is open to external access of another programs that’s why any external user is allowed to change data in DB".
I am currently implementing dhtmlx Scheduler in a webapp that uses the Kohana 3 PHP (hMVC) framework. Since I can’t allow everybody to be able to CRUD everything in my events-database table (accessing the Scheduler requires authentication), I can’t use dhtmlx connector such as it is.
Seen as I’ve already got authentication, an ORM, JQuery and models set up, I would really like to use Kohana to do the CRUD’ing and serve Scheduler the data it needs. Routing everything through my controllers and models, the setup would be more secure, and make me feel much better about using Scheduler for my project. Now, I’ve been looking over the connector code, but it’s not clear to me how Scheduler requests data and how it expects data to be formatted and returned (there was quite alot of code).
If I create a new event, does Scheduler send requests per POST or GET? Does Scheduler expect events as XML-data when it loads data from a database?
I realize this is quite an undertaking, but I would appreciate any help you could provide.
is open to external access of another programs that's why any external user is allowed to change data in DB".
Yep, connector has not built-in user permission checking, by adding a sinlge line on top of connector, as
if ($_SESSION["valid_user"] != true) die();
will solve security issue. The documentation encourage adding of such or similar check to the connectors, because validation is specific for each solution and can’t be provided from-the-box.
If I create a new event, does Scheduler send requests per POST or GET?
It will be POST ( but can be configured to use GET )
Check docs.dhtmlx.com/doku.php?id=dhtm … _side_code
and “send all at once” section at docs.dhtmlx.com/doku.php?id=dhtm … ding_modes
Docs describe parameters of grid, for scheduler it will be similar , but instead of c0-cN, you will have meaningful field names ( start_date, end_date, text, etc. )
Does Scheduler expect events as XML-data
Yes, by default it awaits XML data. But starting from version 2.2 , you can load it from json as well.
Well, almost… Every fieldname in the POST-array appears to be prefixed with the id from the originating event (or the “uid” if it’s a inserted-action). I don’t understand why this is neccessary, to be honest.
If I initialize scheduler with a dataprocessor and create a new event, the fieldnames in the POST-array may look like this:
Isn’t it possible to have the fieldnames be just “text”, “start_date” as you previously stated? Not knowing the POST-indexes makes it a chore to setup validation-rules and data-processing at the receiving end.
Thank you for your support, Stanislav. I was able to integrate the client-side Scheduler with the server-side PHP framework. My controllers and models are processing data and returning results requested by scheduler, but it all requires authentication through the framework.
I will probably be needing a couple of commercial licenses in short order ;c)
Thank you, again
Get a guaranteed answer from DHTMLX technical support team
under the most suitable support plan