From 71f302277e1b9af0b5e845be2cc9755d04647468 Mon Sep 17 00:00:00 2001
From: Suha Can <Suha.Can@microsoft.com>
Date: Thu, 4 Mar 2010 15:15:06 -0800
Subject: [PATCH] - AntiForgerFilter now opt-in for Orchard extensions such as
 modules and areas. - "antiforgery: enabled" in your module.txt will enable
 the filter to do the antiforgery check on posts.

--HG--
branch : dev
---
 src/Orchard.Web/Core/Common/Module.txt        |  1 +
 src/Orchard.Web/Core/Dashboard/Module.txt     |  3 +-
 src/Orchard.Web/Core/Feeds/Module.txt         |  1 +
 src/Orchard.Web/Core/HomePage/Module.txt      |  1 +
 src/Orchard.Web/Core/Navigation/Module.txt    |  3 +-
 src/Orchard.Web/Core/Scheduling/Module.txt    |  3 +-
 src/Orchard.Web/Core/Settings/Module.txt      |  3 +-
 src/Orchard.Web/Core/Themes/Module.txt        |  3 +-
 src/Orchard.Web/Core/XmlRpc/Module.txt        |  1 +
 .../Modules/Futures.Widgets/Module.txt        |  1 +
 .../Modules/Orchard.Blogs/Module.txt          |  1 +
 .../Modules/Orchard.Comments/Module.txt       |  1 +
 .../Modules/Orchard.Media/Module.txt          |  1 +
 .../Modules/Orchard.Pages/Module.txt          |  1 +
 .../Modules/Orchard.Roles/Module.txt          |  3 +-
 .../Modules/Orchard.Setup/Module.txt          |  1 +
 .../Modules/Orchard.Tags/Module.txt           |  1 +
 .../Modules/Orchard.Users/Module.txt          |  1 +
 src/Orchard.Web/Modules/TinyMce/Module.txt    |  1 +
 src/Orchard/Extensions/ExtensionDescriptor.cs |  1 +
 src/Orchard/Extensions/ExtensionManager.cs    |  3 +-
 .../AntiForgeryAuthorizationFilter.cs         | 28 +++++++++++++++++--
 22 files changed, 53 insertions(+), 10 deletions(-)

diff --git a/src/Orchard.Web/Core/Common/Module.txt b/src/Orchard.Web/Core/Common/Module.txt
index 2187cb743..a4acb8fdf 100644
--- a/src/Orchard.Web/Core/Common/Module.txt
+++ b/src/Orchard.Web/Core/Common/Module.txt
@@ -1 +1,2 @@
 Name: Common
+antiforgery: enabled
\ No newline at end of file
diff --git a/src/Orchard.Web/Core/Dashboard/Module.txt b/src/Orchard.Web/Core/Dashboard/Module.txt
index 59da47d50..a07508ed4 100644
--- a/src/Orchard.Web/Core/Dashboard/Module.txt
+++ b/src/Orchard.Web/Core/Dashboard/Module.txt
@@ -1 +1,2 @@
-name: Dashboard
\ No newline at end of file
+name: Dashboard
+antiforgery: enabled
\ No newline at end of file
diff --git a/src/Orchard.Web/Core/Feeds/Module.txt b/src/Orchard.Web/Core/Feeds/Module.txt
index 4fc43ff63..9ea4cb63b 100644
--- a/src/Orchard.Web/Core/Feeds/Module.txt
+++ b/src/Orchard.Web/Core/Feeds/Module.txt
@@ -1 +1,2 @@
 name: Feeds
+antiforgery: enabled
\ No newline at end of file
diff --git a/src/Orchard.Web/Core/HomePage/Module.txt b/src/Orchard.Web/Core/HomePage/Module.txt
index aa81b4985..2e1fcd1c1 100644
--- a/src/Orchard.Web/Core/HomePage/Module.txt
+++ b/src/Orchard.Web/Core/HomePage/Module.txt
@@ -1 +1,2 @@
 name: HomePage
+antiforgery: enabled
\ No newline at end of file
diff --git a/src/Orchard.Web/Core/Navigation/Module.txt b/src/Orchard.Web/Core/Navigation/Module.txt
index 6fbcc77fc..21745169e 100644
--- a/src/Orchard.Web/Core/Navigation/Module.txt
+++ b/src/Orchard.Web/Core/Navigation/Module.txt
@@ -1 +1,2 @@
-name: Navigation
\ No newline at end of file
+name: Navigation
+antiforgery: enabled
\ No newline at end of file
diff --git a/src/Orchard.Web/Core/Scheduling/Module.txt b/src/Orchard.Web/Core/Scheduling/Module.txt
index 061ef8ee4..28fac8bd4 100644
--- a/src/Orchard.Web/Core/Scheduling/Module.txt
+++ b/src/Orchard.Web/Core/Scheduling/Module.txt
@@ -1 +1,2 @@
-name: Scheduling
\ No newline at end of file
+name: Scheduling
+antiforgery: enabled
\ No newline at end of file
diff --git a/src/Orchard.Web/Core/Settings/Module.txt b/src/Orchard.Web/Core/Settings/Module.txt
index f0ef5b265..d1451d2e0 100644
--- a/src/Orchard.Web/Core/Settings/Module.txt
+++ b/src/Orchard.Web/Core/Settings/Module.txt
@@ -1 +1,2 @@
-name: Settings
\ No newline at end of file
+name: Settings
+antiforgery: enabled
\ No newline at end of file
diff --git a/src/Orchard.Web/Core/Themes/Module.txt b/src/Orchard.Web/Core/Themes/Module.txt
index aefb9b2c5..b6d2a2c96 100644
--- a/src/Orchard.Web/Core/Themes/Module.txt
+++ b/src/Orchard.Web/Core/Themes/Module.txt
@@ -1 +1,2 @@
-name: Themes
\ No newline at end of file
+name: Themes
+antiforgery: enabled
\ No newline at end of file
diff --git a/src/Orchard.Web/Core/XmlRpc/Module.txt b/src/Orchard.Web/Core/XmlRpc/Module.txt
index 74ddadf84..b94280d62 100644
--- a/src/Orchard.Web/Core/XmlRpc/Module.txt
+++ b/src/Orchard.Web/Core/XmlRpc/Module.txt
@@ -1 +1,2 @@
 Name: XmlRpc
+antiforgery: enabled
\ No newline at end of file
diff --git a/src/Orchard.Web/Modules/Futures.Widgets/Module.txt b/src/Orchard.Web/Modules/Futures.Widgets/Module.txt
index b38d568c2..721cd8cd0 100644
--- a/src/Orchard.Web/Modules/Futures.Widgets/Module.txt
+++ b/src/Orchard.Web/Modules/Futures.Widgets/Module.txt
@@ -1 +1,2 @@
 name: Widgets
+antiforgery: enabled
\ No newline at end of file
diff --git a/src/Orchard.Web/Modules/Orchard.Blogs/Module.txt b/src/Orchard.Web/Modules/Orchard.Blogs/Module.txt
index a6547b31d..d82dcda7f 100644
--- a/src/Orchard.Web/Modules/Orchard.Blogs/Module.txt
+++ b/src/Orchard.Web/Modules/Orchard.Blogs/Module.txt
@@ -1 +1,2 @@
 name: Blogs
+antiforgery: enabled
\ No newline at end of file
diff --git a/src/Orchard.Web/Modules/Orchard.Comments/Module.txt b/src/Orchard.Web/Modules/Orchard.Comments/Module.txt
index ee782de3b..d189b515f 100644
--- a/src/Orchard.Web/Modules/Orchard.Comments/Module.txt
+++ b/src/Orchard.Web/Modules/Orchard.Comments/Module.txt
@@ -1 +1,2 @@
 name: Comments
+antiforgery: enabled
\ No newline at end of file
diff --git a/src/Orchard.Web/Modules/Orchard.Media/Module.txt b/src/Orchard.Web/Modules/Orchard.Media/Module.txt
index bd6776a37..39454c683 100644
--- a/src/Orchard.Web/Modules/Orchard.Media/Module.txt
+++ b/src/Orchard.Web/Modules/Orchard.Media/Module.txt
@@ -1 +1,2 @@
 name: Media
+antiforgery: enabled
\ No newline at end of file
diff --git a/src/Orchard.Web/Modules/Orchard.Pages/Module.txt b/src/Orchard.Web/Modules/Orchard.Pages/Module.txt
index 1f4768e89..ab71cbf1e 100644
--- a/src/Orchard.Web/Modules/Orchard.Pages/Module.txt
+++ b/src/Orchard.Web/Modules/Orchard.Pages/Module.txt
@@ -1 +1,2 @@
 name: Pages
+antiforgery: enabled
\ No newline at end of file
diff --git a/src/Orchard.Web/Modules/Orchard.Roles/Module.txt b/src/Orchard.Web/Modules/Orchard.Roles/Module.txt
index 432ec0eb5..274a90088 100644
--- a/src/Orchard.Web/Modules/Orchard.Roles/Module.txt
+++ b/src/Orchard.Web/Modules/Orchard.Roles/Module.txt
@@ -1 +1,2 @@
-name: Roles
\ No newline at end of file
+name: Roles
+antiforgery: enabled
\ No newline at end of file
diff --git a/src/Orchard.Web/Modules/Orchard.Setup/Module.txt b/src/Orchard.Web/Modules/Orchard.Setup/Module.txt
index 7fccc753e..774ff09db 100644
--- a/src/Orchard.Web/Modules/Orchard.Setup/Module.txt
+++ b/src/Orchard.Web/Modules/Orchard.Setup/Module.txt
@@ -1 +1,2 @@
 name: Setup
+antiforgery: enabled
\ No newline at end of file
diff --git a/src/Orchard.Web/Modules/Orchard.Tags/Module.txt b/src/Orchard.Web/Modules/Orchard.Tags/Module.txt
index f21c8dcca..593c5da5b 100644
--- a/src/Orchard.Web/Modules/Orchard.Tags/Module.txt
+++ b/src/Orchard.Web/Modules/Orchard.Tags/Module.txt
@@ -1 +1,2 @@
 name: Tags
+antiforgery: enabled
\ No newline at end of file
diff --git a/src/Orchard.Web/Modules/Orchard.Users/Module.txt b/src/Orchard.Web/Modules/Orchard.Users/Module.txt
index 5fc15404a..3d70e2e47 100644
--- a/src/Orchard.Web/Modules/Orchard.Users/Module.txt
+++ b/src/Orchard.Web/Modules/Orchard.Users/Module.txt
@@ -1 +1,2 @@
 name: Users
+antiforgery: enabled
\ No newline at end of file
diff --git a/src/Orchard.Web/Modules/TinyMce/Module.txt b/src/Orchard.Web/Modules/TinyMce/Module.txt
index 91cae157b..1e0ca4ce7 100644
--- a/src/Orchard.Web/Modules/TinyMce/Module.txt
+++ b/src/Orchard.Web/Modules/TinyMce/Module.txt
@@ -1 +1,2 @@
 name: TinyMce
+antiforgery: enabled
\ No newline at end of file
diff --git a/src/Orchard/Extensions/ExtensionDescriptor.cs b/src/Orchard/Extensions/ExtensionDescriptor.cs
index e3a71845f..cf129df63 100644
--- a/src/Orchard/Extensions/ExtensionDescriptor.cs
+++ b/src/Orchard/Extensions/ExtensionDescriptor.cs
@@ -22,5 +22,6 @@
         public string Author { get; set; }
         public string HomePage { get; set; }
         public string Tags { get; set; }
+        public string AntiForgery { get; set; }
     }
 }
diff --git a/src/Orchard/Extensions/ExtensionManager.cs b/src/Orchard/Extensions/ExtensionManager.cs
index 6b0891536..5c030f89d 100644
--- a/src/Orchard/Extensions/ExtensionManager.cs
+++ b/src/Orchard/Extensions/ExtensionManager.cs
@@ -57,7 +57,8 @@ namespace Orchard.Extensions {
                 Version = GetValue(fields, "version"),
                 Author = GetValue(fields, "author"),
                 HomePage = GetValue(fields, "homepage"),
-                Tags = GetValue(fields, "tags")
+                Tags = GetValue(fields, "tags"),
+                AntiForgery = GetValue(fields, "antiforgery")
             };
         }
 
diff --git a/src/Orchard/Mvc/AntiForgery/AntiForgeryAuthorizationFilter.cs b/src/Orchard/Mvc/AntiForgery/AntiForgeryAuthorizationFilter.cs
index bd0370281..38c3292f0 100644
--- a/src/Orchard/Mvc/AntiForgery/AntiForgeryAuthorizationFilter.cs
+++ b/src/Orchard/Mvc/AntiForgery/AntiForgeryAuthorizationFilter.cs
@@ -1,7 +1,9 @@
+using System;
 using System.Collections.Specialized;
 using System.Web;
 using System.Web.Mvc;
 using JetBrains.Annotations;
+using Orchard.Extensions;
 using Orchard.Mvc.Filters;
 using Orchard.Security;
 using Orchard.Settings;
@@ -11,26 +13,46 @@ namespace Orchard.Mvc.AntiForgery {
     public class AntiForgeryAuthorizationFilter : FilterProvider, IAuthorizationFilter {
         private readonly ISiteService _siteService;
         private readonly IAuthenticationService _authenticationService;
+        private readonly IExtensionManager _extensionManager;
 
-        public AntiForgeryAuthorizationFilter(ISiteService siteService, IAuthenticationService authenticationService) {
+        public AntiForgeryAuthorizationFilter(ISiteService siteService, IAuthenticationService authenticationService, IExtensionManager extensionManager) {
             _siteService = siteService;
             _authenticationService = authenticationService;
+            _extensionManager = extensionManager;
         }
 
         public void OnAuthorization(AuthorizationContext filterContext) {
-#if false
             if ((filterContext.HttpContext.Request.HttpMethod != "POST" ||
                  _authenticationService.GetAuthenticatedUser() == null) && !ShouldValidateGet(filterContext)) {
                 return;
             }
 
+            if (!IsAntiForgeryProtectionEnabled(filterContext)) {
+                return;
+            }
+
             var siteSalt = _siteService.GetSiteSettings().SiteSalt;
             var validator = new ValidateAntiForgeryTokenAttribute {Salt = siteSalt};
             validator.OnAuthorization(filterContext);
 
             if (filterContext.HttpContext is HackHttpContext)
                 filterContext.HttpContext = ((HackHttpContext)filterContext.HttpContext).OriginalHttpContextBase;
-#endif
+        }
+
+        private bool IsAntiForgeryProtectionEnabled(ControllerContext context) {
+            string currentModule = context.RouteData.Values["area"].ToString();
+            if (!String.IsNullOrEmpty(currentModule)) {
+                foreach (var descriptor in _extensionManager.AvailableExtensions()) {
+                    if (String.Equals(descriptor.Name, currentModule, StringComparison.OrdinalIgnoreCase)) {
+                        if (String.Equals(descriptor.AntiForgery, "enabled", StringComparison.OrdinalIgnoreCase)) {
+                            return true;
+                        }
+                        return false;
+                    }
+                }
+            }
+
+            return false;
         }
 
         private static bool ShouldValidateGet(AuthorizationContext context) {