Managing data sets in Prestashop 1.7

The new Prestashop 1.7 version will allow you completely clean the front end from any inappropriate information coming from the back end.

There are a few ways to make the data available on the front end in Prestashop 1.7:

Ajax-objects, used to auto-complete the search.
Variables like cart, shop, configuration, etc., which are added to the Smarty templates.
Prestashop JS objects, which contain the same variables, which makes them available everywhere on the front end.

The key issue

In this Prestashop version, the server side (Smarty templates) and the client side (the ajax responses, Prestashop objects) use the same objects. Why is this an issue?

Data exposition

Since the templates are located on the server, this is not what allows to access confidential data. However, the data sent to a client is a completely different story, and it should be carefully processed. For example, you do not want anyone to know the wholesale price of a product, so do not include it in the data sent to the client.

Partner With Us

Let's discuss how to grow your business. Get a Free Quote.

Talk to Igor

Extensibility

Prestashop is an extensible platform, but with the extensibility comes uncertainty: it is impossible to know in advance what data will be added to the models with the help of modules or settings. This means that PrestaShop must be opened for configuration and save the data by default.

Mixed issues

The server side and the client side have different needs. The templates require as much information as possible for flexibility in use, and the client side should receive as little as possible for security reasons and higher network productivity.

The solution

Starting from 1.7.3.1 version, Prestashop will filter all the data it sends to the client side using the whitelist-based filtering service.

Only the data sent to the client will be filtered. Smarty objects will be stored as they were.

PrestaShop Development

Take your online store to the next level with BelVG PrestaShop Development

Visit the page

Why not blacklist

Blacklist is unsafe by default. Not only because you have to know, what to remove beforehand in Prestashop, what is impossible due to the extensibility of Prestashop, where the data can be changed anytime. Developers will have to filter as much new information as possible or to risk data leaks.

Whitelist makes the store secure by default. Developers need to add new information to the whitelist for its output on the client side.

Deleting the price for the whitelist

First, you need to enable actionFrontControllerAfterInit and delete price from whitelist products.

Perform actions after front office controller initialization.
The hook actionFrontControllerAfterInit is launched after the initialization of all front office controllers.

Partner With Us Let's discuss how to grow your business. Get a Free Quote.

Talk to Igor

public function hookActionFrontControllerAfterInit()
{
   $filterManager = $this->get('prestashop.core.filter.front_end_object.main');
   $filters = $filterManager->getFilters();
   $cartFilters = $filters['cart']->getFilters();
   $productFilterQueue = $cartFilters['products']->getQueue();
   
   foreach ($productFilterQueue as $filter) {
       if ($filter instanceof PrestaShop\PrestaShop\Core\Filter\FrontEndObject\ProductFilter) {
           $filter->removeFromWhitelist('price');
       }
   }
}

public function hookActionFrontControllerAfterInit()

{

$filterManager = $this->get('prestashop.core.filter.front_end_object.main');

$filters = $filterManager->getFilters();

$cartFilters = $filters['cart']->getFilters();

$productFilterQueue = $cartFilters['products']->getQueue();

foreach ($productFilterQueue as $filter) {

if ($filter instanceof PrestaShop\PrestaShop\Core\Filter\FrontEndObject\ProductFilter) {

$filter->removeFromWhitelist('price');

}

Suppose you want to add an element called my_custom_data to a Prestashop object. Simply enable actionBuildFrontEndObject and add my_custom_data to $params.

actionBuildFrontEndObject manages elements added to the Prestashop javascript object. This hook allows you to customize the Prestashop javascript object that is included in all front office pages.

public function hookActionBuildFrontEndObject(&$params) {
   $prestashopObject =& $params['obj'];
   $prestashopObject['my_custom_data'] = 'foobar';
}

public function hookActionBuildFrontEndObject(&$params) {

$prestashopObject =& $params['obj'];

$prestashopObject['my_custom_data'] = 'foobar';

}

Here is how you manage the data displayed on the front end in the new Prestashop 1.7 version. Hope this was helpful and clear, leave your comments, if not.