From ad7b193d2ce9259c5aa0b8e45379b7cafcad68ef Mon Sep 17 00:00:00 2001 From: ErikPorter Date: Mon, 14 Dec 2009 21:59:46 +0000 Subject: [PATCH] Moved antiforgery generation into our own beginform helper. --HG-- extra : convert_revision : svn%3A5ff7c347-ad56-4c35-b696-ccb81de16e03/trunk%4044036 --- .../Orchard.Blogs/Views/Blog/Create.aspx | 7 ++-- .../Orchard.Blogs/Views/Blog/Edit.aspx | 7 ++-- .../Orchard.Blogs/Views/BlogPost/Create.aspx | 5 ++- .../Orchard.Blogs/Views/BlogPost/Edit.aspx | 5 ++- .../Filters/AntiForgeryAuthorizationFilter.cs | 1 + src/Orchard/Mvc/Html/HtmlHelperExtensions.cs | 36 ++++++++++++++++--- .../Mvc/Html/MvcFormAntiForgeryPost.cs | 18 ++++++++++ src/Orchard/Orchard.csproj | 1 + 8 files changed, 60 insertions(+), 20 deletions(-) create mode 100644 src/Orchard/Mvc/Html/MvcFormAntiForgeryPost.cs diff --git a/src/Orchard.Web/Packages/Orchard.Blogs/Views/Blog/Create.aspx b/src/Orchard.Web/Packages/Orchard.Blogs/Views/Blog/Create.aspx index a56cc2ab8..5fe49baf6 100644 --- a/src/Orchard.Web/Packages/Orchard.Blogs/Views/Blog/Create.aspx +++ b/src/Orchard.Web/Packages/Orchard.Blogs/Views/Blog/Create.aspx @@ -3,12 +3,9 @@ <%@ Import Namespace="Orchard.Blogs.ViewModels"%> <% Html.Include("AdminHead"); %>

Add Blog

- <% using (Html.BeginForm()) { %> + <% using (Html.BeginFormAntiForgeryPost()) { %> <%=Html.ValidationSummary() %> <%=Html.EditorForItem(vm => vm.Blog) %> -
- <%=Html.OrchardAntiForgeryToken() %> - -
<% +
<% } %> <% Html.Include("AdminFoot"); %> \ No newline at end of file diff --git a/src/Orchard.Web/Packages/Orchard.Blogs/Views/Blog/Edit.aspx b/src/Orchard.Web/Packages/Orchard.Blogs/Views/Blog/Edit.aspx index cf41724df..e3d4a6ee1 100644 --- a/src/Orchard.Web/Packages/Orchard.Blogs/Views/Blog/Edit.aspx +++ b/src/Orchard.Web/Packages/Orchard.Blogs/Views/Blog/Edit.aspx @@ -3,12 +3,9 @@ <%@ Import Namespace="Orchard.Blogs.ViewModels"%> <% Html.Include("AdminHead"); %>

Edit Blog

- <% using (Html.BeginForm()) { %> + <% using (Html.BeginFormAntiForgeryPost()) { %> <%=Html.ValidationSummary() %> <%=Html.EditorForItem(m => m.Blog) %> -
- <%=Html.OrchardAntiForgeryToken() %> - -
<% +
<% } %> <% Html.Include("AdminFoot"); %> \ No newline at end of file diff --git a/src/Orchard.Web/Packages/Orchard.Blogs/Views/BlogPost/Create.aspx b/src/Orchard.Web/Packages/Orchard.Blogs/Views/BlogPost/Create.aspx index b987670aa..2521dc878 100644 --- a/src/Orchard.Web/Packages/Orchard.Blogs/Views/BlogPost/Create.aspx +++ b/src/Orchard.Web/Packages/Orchard.Blogs/Views/BlogPost/Create.aspx @@ -3,9 +3,8 @@ <%@ Import Namespace="Orchard.Blogs.ViewModels"%> <% Html.Include("AdminHead"); %>

Add Post

- <% using (Html.BeginForm()) { %> + <% using (Html.BeginFormAntiForgeryPost()) { %> <%=Html.ValidationSummary() %> - <%=Html.EditorForItem(m => m.BlogPost) %> - <%=Html.OrchardAntiForgeryToken() %><% + <%=Html.EditorForItem(m => m.BlogPost) %><% } %> <% Html.Include("AdminFoot"); %> \ No newline at end of file diff --git a/src/Orchard.Web/Packages/Orchard.Blogs/Views/BlogPost/Edit.aspx b/src/Orchard.Web/Packages/Orchard.Blogs/Views/BlogPost/Edit.aspx index 9493faa72..d68f1b35f 100644 --- a/src/Orchard.Web/Packages/Orchard.Blogs/Views/BlogPost/Edit.aspx +++ b/src/Orchard.Web/Packages/Orchard.Blogs/Views/BlogPost/Edit.aspx @@ -3,9 +3,8 @@ <%@ Import Namespace="Orchard.Blogs.ViewModels"%> <% Html.Include("AdminHead"); %>

Edit Post

- <% using (Html.BeginForm()) { %> + <% using (Html.BeginFormAntiForgeryPost()) { %> <%=Html.ValidationSummary() %> - <%=Html.EditorForItem(m => m.BlogPost) %> - <%=Html.OrchardAntiForgeryToken() %><% + <%=Html.EditorForItem(m => m.BlogPost) %><% } %> <% Html.Include("AdminFoot"); %> \ No newline at end of file diff --git a/src/Orchard/Mvc/Filters/AntiForgeryAuthorizationFilter.cs b/src/Orchard/Mvc/Filters/AntiForgeryAuthorizationFilter.cs index 78d04a23c..551796b3d 100644 --- a/src/Orchard/Mvc/Filters/AntiForgeryAuthorizationFilter.cs +++ b/src/Orchard/Mvc/Filters/AntiForgeryAuthorizationFilter.cs @@ -11,6 +11,7 @@ namespace Orchard.Mvc.Filters { if (!(filterContext.HttpContext.Request.HttpMethod == "POST" && filterContext.RequestContext.HttpContext.Request.IsAuthenticated)) return; + //TODO: (erikpo) Change the salt to be something unique per application like a site setting with a Guid.NewGuid().ToString("N") value ValidateAntiForgeryTokenAttribute validator = new ValidateAntiForgeryTokenAttribute { Salt = "Orchard" }; validator.OnAuthorization(filterContext); diff --git a/src/Orchard/Mvc/Html/HtmlHelperExtensions.cs b/src/Orchard/Mvc/Html/HtmlHelperExtensions.cs index b411f3b71..97c3be3f0 100644 --- a/src/Orchard/Mvc/Html/HtmlHelperExtensions.cs +++ b/src/Orchard/Mvc/Html/HtmlHelperExtensions.cs @@ -4,6 +4,7 @@ using System.Linq; using System.Linq.Expressions; using System.Text; using System.Web.Mvc; +using System.Web.Mvc.Html; using System.Web.Routing; using Orchard.Utility; @@ -176,12 +177,39 @@ namespace Orchard.Mvc.Html { #endregion - #region OrchardAntiForgeryToken + #region BeginFormAntiForgeryPost - public static MvcHtmlString OrchardAntiForgeryToken(this HtmlHelper htmlHelper) - { + public static MvcForm BeginFormAntiForgeryPost(this HtmlHelper htmlHelper) { + return htmlHelper.BeginFormAntiForgeryPost(htmlHelper.ViewContext.HttpContext.Request.RawUrl, FormMethod.Post, new RouteValueDictionary()); + } + //TODO: (erikpo) Uncomment when needed (not currently needed) + //public static MvcForm BeginFormAntiForgeryPost(this HtmlHelper htmlHelper, string formAction) { + // return htmlHelper.BeginFormAntiForgeryPost(formAction, FormMethod.Post, new RouteValueDictionary()); + //} + //public static MvcForm BeginFormAntiForgeryPost(this HtmlHelper htmlHelper, string formAction, FormMethod formMethod) { + // return htmlHelper.BeginFormAntiForgeryPost(formAction, formMethod, new RouteValueDictionary()); + //} + //public static MvcForm BeginFormAntiForgeryPost(this HtmlHelper htmlHelper, string formAction, FormMethod formMethod, object htmlAttributes) { + // return htmlHelper.BeginFormAntiForgeryPost(formAction, formMethod, new RouteValueDictionary(htmlAttributes)); + //} + public static MvcForm BeginFormAntiForgeryPost(this HtmlHelper htmlHelper, string formAction, FormMethod formMethod, IDictionary htmlAttributes) { + TagBuilder tagBuilder = new TagBuilder("form"); + + tagBuilder.MergeAttributes(htmlAttributes); + tagBuilder.MergeAttribute("action", formAction); + tagBuilder.MergeAttribute("method", HtmlHelper.GetFormMethodString(formMethod), true); + + htmlHelper.ViewContext.HttpContext.Response.Write(tagBuilder.ToString(TagRenderMode.StartTag)); + + return new MvcFormAntiForgeryPost(htmlHelper); + } + + #endregion + + #region AntiForgeryTokenOrchard + + public static MvcHtmlString AntiForgeryTokenOrchard(this HtmlHelper htmlHelper) { //TODO: (erikpo) Change the salt to be something unique per application like a site setting with a Guid.NewGuid().ToString("N") value - return htmlHelper.AntiForgeryToken("Orchard"); } diff --git a/src/Orchard/Mvc/Html/MvcFormAntiForgeryPost.cs b/src/Orchard/Mvc/Html/MvcFormAntiForgeryPost.cs new file mode 100644 index 000000000..8b9fb18d7 --- /dev/null +++ b/src/Orchard/Mvc/Html/MvcFormAntiForgeryPost.cs @@ -0,0 +1,18 @@ +using System.Web.Mvc; +using System.Web.Mvc.Html; + +namespace Orchard.Mvc.Html { + public class MvcFormAntiForgeryPost : MvcForm { + private readonly HtmlHelper _htmlHelper; + + public MvcFormAntiForgeryPost(HtmlHelper htmlHelper) : base(htmlHelper.ViewContext) { + _htmlHelper = htmlHelper; + } + + protected override void Dispose(bool disposing) { + _htmlHelper.ViewContext.RequestContext.HttpContext.Response.Write(_htmlHelper.AntiForgeryTokenOrchard()); + + base.Dispose(disposing); + } + } +} \ No newline at end of file diff --git a/src/Orchard/Orchard.csproj b/src/Orchard/Orchard.csproj index 222d8ce99..361cfd95c 100644 --- a/src/Orchard/Orchard.csproj +++ b/src/Orchard/Orchard.csproj @@ -200,6 +200,7 @@ +