- AntiForgerFilter now opt-in for Orchard extensions such as modules and areas.

- "antiforgery: enabled" in your module.txt will enable the filter to do the antiforgery check on posts.

--HG--
branch : dev

src/Orchard.Web/Core/Common/Module.txt

@@ -1 +1,2 @@
 Name: Common
+antiforgery: enabled

src/Orchard.Web/Core/Dashboard/Module.txt

@@ -1 +1,2 @@
 name: Dashboard
+antiforgery: enabled

src/Orchard.Web/Core/Feeds/Module.txt

@@ -1 +1,2 @@
 name: Feeds
+antiforgery: enabled

src/Orchard.Web/Core/HomePage/Module.txt

@@ -1 +1,2 @@
 name: HomePage
+antiforgery: enabled

src/Orchard.Web/Core/Navigation/Module.txt

@@ -1 +1,2 @@
 name: Navigation
+antiforgery: enabled

src/Orchard.Web/Core/Scheduling/Module.txt

@@ -1 +1,2 @@
 name: Scheduling
+antiforgery: enabled

src/Orchard.Web/Core/Settings/Module.txt

@@ -1 +1,2 @@
 name: Settings
+antiforgery: enabled

src/Orchard.Web/Core/Themes/Module.txt

@@ -1 +1,2 @@
 name: Themes
+antiforgery: enabled

src/Orchard.Web/Core/XmlRpc/Module.txt

@@ -1 +1,2 @@
 Name: XmlRpc
+antiforgery: enabled

src/Orchard.Web/Modules/Futures.Widgets/Module.txt

@@ -1 +1,2 @@
 name: Widgets
+antiforgery: enabled

src/Orchard.Web/Modules/Orchard.Blogs/Module.txt

@@ -1 +1,2 @@
 name: Blogs
+antiforgery: enabled

src/Orchard.Web/Modules/Orchard.Comments/Module.txt

@@ -1 +1,2 @@
 name: Comments
+antiforgery: enabled

src/Orchard.Web/Modules/Orchard.Media/Module.txt

@@ -1 +1,2 @@
 name: Media
+antiforgery: enabled

src/Orchard.Web/Modules/Orchard.Pages/Module.txt

@@ -1 +1,2 @@
 name: Pages
+antiforgery: enabled

src/Orchard.Web/Modules/Orchard.Roles/Module.txt

@@ -1 +1,2 @@
 name: Roles
+antiforgery: enabled

src/Orchard.Web/Modules/Orchard.Setup/Module.txt

@@ -1 +1,2 @@
 name: Setup
+antiforgery: enabled

src/Orchard.Web/Modules/Orchard.Tags/Module.txt

@@ -1 +1,2 @@
 name: Tags
+antiforgery: enabled

src/Orchard.Web/Modules/Orchard.Users/Module.txt

@@ -1 +1,2 @@
 name: Users
+antiforgery: enabled

src/Orchard.Web/Modules/TinyMce/Module.txt

@@ -1 +1,2 @@
 name: TinyMce
+antiforgery: enabled

src/Orchard/Extensions/ExtensionDescriptor.cs

@@ -22,5 +22,6 @@
         public string Author { get; set; }
         public string HomePage { get; set; }
         public string Tags { get; set; }
+        public string AntiForgery { get; set; }
     }
 }

src/Orchard/Extensions/ExtensionManager.cs

@@ -57,7 +57,8 @@ namespace Orchard.Extensions {
                 Version = GetValue(fields, "version"),
                 Author = GetValue(fields, "author"),
                 HomePage = GetValue(fields, "homepage"),
-                Tags = GetValue(fields, "tags")
+                Tags = GetValue(fields, "tags"),
+                AntiForgery = GetValue(fields, "antiforgery")
             };
         }
 

src/Orchard/Mvc/AntiForgery/AntiForgeryAuthorizationFilter.cs

@@ -1,7 +1,9 @@
+using System;
 using System.Collections.Specialized;
 using System.Web;
 using System.Web.Mvc;
 using JetBrains.Annotations;
+using Orchard.Extensions;
 using Orchard.Mvc.Filters;
 using Orchard.Security;
 using Orchard.Settings;
@@ -11,26 +13,46 @@ namespace Orchard.Mvc.AntiForgery {
     public class AntiForgeryAuthorizationFilter : FilterProvider, IAuthorizationFilter {
         private readonly ISiteService _siteService;
         private readonly IAuthenticationService _authenticationService;
+        private readonly IExtensionManager _extensionManager;
 
-        public AntiForgeryAuthorizationFilter(ISiteService siteService, IAuthenticationService authenticationService) {
+        public AntiForgeryAuthorizationFilter(ISiteService siteService, IAuthenticationService authenticationService, IExtensionManager extensionManager) {
             _siteService = siteService;
             _authenticationService = authenticationService;
+            _extensionManager = extensionManager;
         }
 
         public void OnAuthorization(AuthorizationContext filterContext) {
-#if false
             if ((filterContext.HttpContext.Request.HttpMethod != "POST" ||
                  _authenticationService.GetAuthenticatedUser() == null) && !ShouldValidateGet(filterContext)) {
                 return;
             }
 
+            if (!IsAntiForgeryProtectionEnabled(filterContext)) {
+                return;
+            }
+
             var siteSalt = _siteService.GetSiteSettings().SiteSalt;
             var validator = new ValidateAntiForgeryTokenAttribute {Salt = siteSalt};
             validator.OnAuthorization(filterContext);
 
             if (filterContext.HttpContext is HackHttpContext)
                 filterContext.HttpContext = ((HackHttpContext)filterContext.HttpContext).OriginalHttpContextBase;
-#endif
+        }
+
+        private bool IsAntiForgeryProtectionEnabled(ControllerContext context) {
+            string currentModule = context.RouteData.Values["area"].ToString();
+            if (!String.IsNullOrEmpty(currentModule)) {
+                foreach (var descriptor in _extensionManager.AvailableExtensions()) {
+                    if (String.Equals(descriptor.Name, currentModule, StringComparison.OrdinalIgnoreCase)) {
+                        if (String.Equals(descriptor.AntiForgery, "enabled", StringComparison.OrdinalIgnoreCase)) {
+                            return true;
+                        }
+                        return false;
+                    }
+                }
+            }
+
+            return false;
         }
 
         private static bool ShouldValidateGet(AuthorizationContext context) {