Download
Topics
  1. Home
  2. Docs
  3. Manual
  4. Controller

Controller

A controller examines the user’s request and then processes it using the requested action. Controllers are mainly used in plugins. Default routing rules support up to three controllers:

  • Site controller - regular controller for a day to day actions invoked by website visitor;
  • Public controller - unsecured controller accessed by third party services, like payment gateway ping-back;
  • Admin controller - controller for actions done by an administrator.

Use them where appropriate. Or create your own routes.

Public controller

See the sample of public controller code below. Public means that it can be accessed via URL. It doesn't execute any security checks. 

<?php
// Place this code into Plugin/YourPluginName/PublicController.php
namespace Plugin\YourPluginName; //Replace "YourPluginName" with actual plugin name

class PublicController
{

    public function doSomething()
    {
        return "Hello World";
    }
}

Use the link below to access this controller (make sure your plugin is activated) 

http://www.example.com/?pa=YourPluginName.doSomething

Alternatively you can use routing to map any URL to any action. 

Site controller

Site controller works in the same way as public controller for GET methods, but it has a protection measures against XSRF (cross-site request forgery) attacks in POST methods. Use it for actions executed by user on your website, e.g. for registration forms, profile update forms, etc.

XSRF check is done using an additional parameter called 'security token'. It is a unique string generated for each visitor.

See the example of the site controller below. 

<?php
// Place this code into Plugin/YourPluginName/SiteController.php
namespace Plugin\YourPluginName; //Replace "YourPluginName" with actual plugin name

class SiteController
{

    public function doSomething()
    {
        return "Hello World";
    }

}

To access doSomething action on site controller using GET method, use the following URL:

http://www.example.com/?sa=YourPluginName.doSomething

To execute the same action using POST method, post the following variables:

  • sa  – a value with syntax YourPluginName.methodName
  • securityToken  actual securityToken value

Get security token in PHP

$securityToken = ipSecurityToken();

Get security token in JavaScript

alert (ip.securityToken);

If you are using ImpressPages forms, security token will be added automatically. So you don't have to worry about that and just add sa parameter.

Admin controller

Admin controller is used for admin (back-end) actions that have to be accessed only by the administrator. 

Admin controller works in the same way as a site controller. It also checks for XSRF attacks in POST methods. This controller additionally checks if a user is logged-in to the administration panel and has the right to access the requested plugin.

Example:

<?php
// Place this code into Plugin/YourPluginName/AdminController.php
namespace Plugin\YourPluginName; //Replace "YourPluginName" with actual plugin name

class AdminController
{

    public function doSomething()
    {
        return "Hello World";
    }

}

To access doSomething  action using GET on admin controller, use following URL.

http://www.example.com?aa=YourPluginName.doSomething

To execute the same action using POST method, post the following variables:

  • aa  – a value with syntax YourPluginName.methodName
  • securityToken  = actual security token value

Again, if you are using a standard form generation method, you can skip the securityToken  as it will be added automatically.

Response in controller

In the controller, you can return string or anything that has __toString method implemented. This will display returned setting as a content for the default layout of the theme. Layout file has to have <?php ipBlock('main') ?> for this to work.

If you need more control over the response, you can return \Ip\Response object or any other object that extends it. This way you can make ImpressPage return absolutely anything. 

List of extended response classes:

See also

comments powered by Disqus