This project is read-only.

Ajax call to controller action in another module

Topics: Administration, Customizing Orchard, Writing modules, Writing themes
Sep 15, 2011 at 5:50 PM
Edited Sep 15, 2011 at 5:54 PM

What url do I need to use if I want issue an ajax call to a controller action in another module from a shape (.cshtml) in the Views folder of my custom Theme?


url: ???



dataType: 'json',

data: somedata


success:function (data) { alert(data.toString()); }


I am using this ajax call from Fields.Contrib.MediaPicker-Session-Video.cshtml, which is in the Views folder of my custom theme.

The controller action I am trying to reach is located in the Admin controller of Orchard.Media module. 

(I add a custom action to the Admin controller of Orchard.Media module.)

I am sure that there may be a better way of doing this. However, many client-side developers want to have a flexibility to access any controller action in other modules via ajax.

I would appreciate your information.


Sep 15, 2011 at 6:27 PM

You need the server to build the url that you inject into that script, using Url.Action. You can specify the area in the aditional parameters, and that really is the module's folder name.

Sep 15, 2011 at 8:37 PM

I used the following url and set a break point on the "Myaction" in the admin controller of Orchard.Media module.






'@Url.Action("Myaction, "Admin", new { area = "Orchard.Media"})'




However, it never seems to reach the "Myaction".

Sep 15, 2011 at 8:47 PM

Try to get a network trace in your browser's dev tools and look at the details of that request.

Sep 15, 2011 at 10:50 PM
Edited Sep 15, 2011 at 11:05 PM

I looked at the response headers and foud that Key Value
Location has /Users/Account/AccessDenied?ReturnUrl=%2fAdmin%2fMedia%2fSaveToFile

I was not logged in at the test run.  I guess that it may need an admin login to do this action.

  Is there any attribute I can use for this action to allow regular users to access this action? 






Sep 15, 2011 at 11:13 PM

I logged in as admin and I got the following error.

A required anti-forgery token was not supplied or was invalid.

Sep 15, 2011 at 11:55 PM

Oh, yes, you need to grant whatever permission is being verified in this action to the Anonymous role. Careful with that, it could be dangerous (as in, your server could be transformed into a porn server in no time).

For the antiforgery thing, yes, you need to include the anti-forgery token into the post that you send back to the server. There are a few examples of that around.

Sep 16, 2011 at 12:12 AM

Thanks for your quick reply.  When I am trying to fix the error, I ran into another error.

"The controller for path '/Users/Content/favicon.ico' was not found or does not implement IController."

When I bring up the sign in page, it through the error before I get a chance to log in. Have you seen this error?

Sep 16, 2011 at 12:22 AM

You probably inadvertently implemented a route that takes over that URL. You may want to try to debug that with the new route module that got published a couple of days ago.

Sep 16, 2011 at 2:44 AM
Edited Sep 16, 2011 at 5:14 AM

I will look into the route.  Since the problem is with the sign-in page, I am wondering what it might be.

Also I learnded that the antifogery validation via jquery ajax is tricky.  The MVC token validation done on formcollection only. 

However, I need to pass my data as Json array. I will have to find a way to mix formcollectionwith json array.


Sep 16, 2011 at 4:32 PM

As I dig deeper on this issue, I learned that the MVC antiforgerytoken validation works with a form post only.

It does not work with a formless ajax post with passing Json data object. 

 Does the Orchard have any custom antiforgerytoken validation mechanison that resolves this limitation?

The other issue is a constant salt issue. Given the Orchard is used by many clients, it should be a runtime salt.

 Does orchard use a compile time constant salt or a runtime dynamic salt?

I appreciate any good examples or solutions on this issue.


Sep 16, 2011 at 4:45 PM

No, that's not true. There is essentially no difference from an http standpoint between an ajax post and a regular post. MVC works just fine with ajax posts. See the slug auto-generation in the route core module for an example.

What makes you think there is a constnt salt?

Sep 16, 2011 at 5:27 PM

There is a constant salt, per tenant, otherwise a token could be leaked accross tenants.

Sep 16, 2011 at 8:06 PM

There is a good blog post on this issue.  I do not think that is is an issue of ajax but it is an issue of JSON data outside of a form.

Jsonrequestattribute seem to be something that Orchard can customize if it works. 

I am still not able to resolve this antiforgerytoken issue with Json post that are not releted to a form post.

Sep 16, 2011 at 8:12 PM

Here's what the media picker is doing for Ajax posts:

$.post("MediaPicker/CreateFolder", { path: query("mediaPath") || "", folderName: $("#folderName").val(), __RequestVerificationToken: $("#__requesttoken").val() }, ...

Sep 16, 2011 at 8:16 PM

What I did for signing users out.... (might help)

<script type="text/javascript">
    function signOutCallback() {
        var data = {
            __RequestVerificationToken: "@Html.AntiForgeryTokenValueOrchard()"

        $.post("/Users/Account/LogOff", data, function() {

Sep 16, 2011 at 9:02 PM
Edited Sep 16, 2011 at 9:05 PM

Thanks for the information. 


I did not know about "Html.AntiForgeryTokenValueOrchard()". I have been using Html.AntiForgeryToken(). 

 That might do the trick. I will let you know.




Since this is a security issue, I am wondering if the above solution resolves a security concern raised by this post (Microsoft?) :

Sep 16, 2011 at 11:08 PM

It works now.  Thanks.

However, I would appreciate an information on the security issue mentioned above.

Sep 16, 2011 at 11:11 PM

Can you first explain what the security issue is? I may be missing something but I don't see one.

Sep 17, 2011 at 12:33 AM

Imran Baloch's Blog described the security Issue in ASP.NET MVC3 JsonValueProviderFactory.

I have not validated the concern but I wanted to see if the Ochard resloved this issue.



Sep 17, 2011 at 12:55 AM

That link seems to be broken.

Sep 17, 2011 at 1:01 AM
Sep 17, 2011 at 1:05 AM

By the way we are not prone to this security issue. Everything in Orchard is HtmlEncoded.

Even without Json you can enter some Javascript in the Comment for instance in Orchard, but it will be rendered safely by encoding it.

Sep 17, 2011 at 4:35 AM

I guess that it is the issue with any old MVC apps that may post unencoded data.

It is good to know that all the data in the Orchard are url-encoded.