Moved antiforgery generation into our own beginform helper.

--HG-- extra : convert_revision : svn%3A5ff7c347-ad56-4c35-b696-ccb81de16e03/trunk%4044036
2025-10-14 10:54:50 +08:00 · 2009-12-14 21:59:46 +00:00
parent b3f694dacd
commit ad7b193d2c
8 changed files with 60 additions and 20 deletions
--- a/src/Orchard.Web/Packages/Orchard.Blogs/Views/Blog/Create.aspx
+++ b/src/Orchard.Web/Packages/Orchard.Blogs/Views/Blog/Create.aspx
@@ -3,12 +3,9 @@
 <%@ Import Namespace="Orchard.Blogs.ViewModels"%>
 <% Html.Include("AdminHead"); %>
    <h2>Add Blog</h2>
-    <% using (Html.BeginForm()) { %>
+    <% using (Html.BeginFormAntiForgeryPost()) { %>
        <%=Html.ValidationSummary() %>
        <%=Html.EditorForItem(vm => vm.Blog) %>
-        <fieldset>
-            <%=Html.OrchardAntiForgeryToken() %>
-            <input class="button" type="submit" value="Create" />
-        </fieldset><%
+        <fieldset><input class="button" type="submit" value="Create" /></fieldset><%
       } %>
 <% Html.Include("AdminFoot"); %>
--- a/src/Orchard.Web/Packages/Orchard.Blogs/Views/Blog/Edit.aspx
+++ b/src/Orchard.Web/Packages/Orchard.Blogs/Views/Blog/Edit.aspx
@@ -3,12 +3,9 @@
 <%@ Import Namespace="Orchard.Blogs.ViewModels"%>
 <% Html.Include("AdminHead"); %>
    <h2>Edit Blog</h2>
-    <% using (Html.BeginForm()) { %>
+    <% using (Html.BeginFormAntiForgeryPost()) { %>
        <%=Html.ValidationSummary() %>
        <%=Html.EditorForItem(m => m.Blog) %>
-        <fieldset>
-            <%=Html.OrchardAntiForgeryToken() %>
-            <input class="button" type="submit" value="Save" />
-        </fieldset><%
+        <fieldset><input class="button" type="submit" value="Save" /></fieldset><%
       } %>
 <% Html.Include("AdminFoot"); %>
--- a/src/Orchard.Web/Packages/Orchard.Blogs/Views/BlogPost/Create.aspx
+++ b/src/Orchard.Web/Packages/Orchard.Blogs/Views/BlogPost/Create.aspx
@@ -3,9 +3,8 @@
 <%@ Import Namespace="Orchard.Blogs.ViewModels"%>
 <% Html.Include("AdminHead"); %>
    <h2>Add Post</h2>
-    <% using (Html.BeginForm()) { %>
+    <% using (Html.BeginFormAntiForgeryPost()) { %>
        <%=Html.ValidationSummary() %>
-        <%=Html.EditorForItem(m => m.BlogPost) %>
-        <%=Html.OrchardAntiForgeryToken() %><%
+        <%=Html.EditorForItem(m => m.BlogPost) %><%
       } %>
 <% Html.Include("AdminFoot"); %>
--- a/src/Orchard.Web/Packages/Orchard.Blogs/Views/BlogPost/Edit.aspx
+++ b/src/Orchard.Web/Packages/Orchard.Blogs/Views/BlogPost/Edit.aspx
@@ -3,9 +3,8 @@
 <%@ Import Namespace="Orchard.Blogs.ViewModels"%>
 <% Html.Include("AdminHead"); %>
    <h2>Edit Post</h2>
-    <% using (Html.BeginForm()) { %>
+    <% using (Html.BeginFormAntiForgeryPost()) { %>
        <%=Html.ValidationSummary() %>
-        <%=Html.EditorForItem(m => m.BlogPost) %>
-        <%=Html.OrchardAntiForgeryToken() %><%
+        <%=Html.EditorForItem(m => m.BlogPost) %><%
       } %>
 <% Html.Include("AdminFoot"); %>
--- a/src/Orchard/Mvc/Filters/AntiForgeryAuthorizationFilter.cs
+++ b/src/Orchard/Mvc/Filters/AntiForgeryAuthorizationFilter.cs
@@ -11,6 +11,7 @@ namespace Orchard.Mvc.Filters {
            if (!(filterContext.HttpContext.Request.HttpMethod == "POST" && filterContext.RequestContext.HttpContext.Request.IsAuthenticated))
                return;

+            //TODO: (erikpo) Change the salt to be something unique per application like a site setting with a Guid.NewGuid().ToString("N") value
            ValidateAntiForgeryTokenAttribute validator = new ValidateAntiForgeryTokenAttribute { Salt = "Orchard" };

            validator.OnAuthorization(filterContext);
--- a/src/Orchard/Mvc/Html/HtmlHelperExtensions.cs
+++ b/src/Orchard/Mvc/Html/HtmlHelperExtensions.cs
@@ -4,6 +4,7 @@ using System.Linq;
 using System.Linq.Expressions;
 using System.Text;
 using System.Web.Mvc;
+using System.Web.Mvc.Html;
 using System.Web.Routing;
 using Orchard.Utility;

@@ -176,12 +177,39 @@ namespace Orchard.Mvc.Html {

        #endregion

-        #region OrchardAntiForgeryToken
+        #region BeginFormAntiForgeryPost

-        public static MvcHtmlString OrchardAntiForgeryToken(this HtmlHelper htmlHelper)
-        {
+        public static MvcForm BeginFormAntiForgeryPost(this HtmlHelper htmlHelper) {
+            return htmlHelper.BeginFormAntiForgeryPost(htmlHelper.ViewContext.HttpContext.Request.RawUrl, FormMethod.Post, new RouteValueDictionary());
+        }
+        //TODO: (erikpo) Uncomment when needed (not currently needed)
+        //public static MvcForm BeginFormAntiForgeryPost(this HtmlHelper htmlHelper, string formAction) {
+        //    return htmlHelper.BeginFormAntiForgeryPost(formAction, FormMethod.Post, new RouteValueDictionary());
+        //}
+        //public static MvcForm BeginFormAntiForgeryPost(this HtmlHelper htmlHelper, string formAction, FormMethod formMethod) {
+        //    return htmlHelper.BeginFormAntiForgeryPost(formAction, formMethod, new RouteValueDictionary());
+        //}
+        //public static MvcForm BeginFormAntiForgeryPost(this HtmlHelper htmlHelper, string formAction, FormMethod formMethod, object htmlAttributes) {
+        //    return htmlHelper.BeginFormAntiForgeryPost(formAction, formMethod, new RouteValueDictionary(htmlAttributes));
+        //}
+        public static MvcForm BeginFormAntiForgeryPost(this HtmlHelper htmlHelper, string formAction, FormMethod formMethod, IDictionary<string, object> htmlAttributes) {
+            TagBuilder tagBuilder = new TagBuilder("form");
+
+            tagBuilder.MergeAttributes(htmlAttributes);
+            tagBuilder.MergeAttribute("action", formAction);
+            tagBuilder.MergeAttribute("method", HtmlHelper.GetFormMethodString(formMethod), true);
+
+            htmlHelper.ViewContext.HttpContext.Response.Write(tagBuilder.ToString(TagRenderMode.StartTag));
+
+            return new MvcFormAntiForgeryPost(htmlHelper);
+        }
+
+        #endregion
+
+        #region AntiForgeryTokenOrchard
+
+        public static MvcHtmlString AntiForgeryTokenOrchard(this HtmlHelper htmlHelper) {
            //TODO: (erikpo) Change the salt to be something unique per application like a site setting with a Guid.NewGuid().ToString("N") value
-            
            return htmlHelper.AntiForgeryToken("Orchard");
        }

--- a/src/Orchard/Mvc/Html/MvcFormAntiForgeryPost.cs
+++ b/src/Orchard/Mvc/Html/MvcFormAntiForgeryPost.cs
@@ -0,0 +1,18 @@
+using System.Web.Mvc;
+using System.Web.Mvc.Html;
+
+namespace Orchard.Mvc.Html {
+    public class MvcFormAntiForgeryPost : MvcForm {
+        private readonly HtmlHelper _htmlHelper;
+
+        public MvcFormAntiForgeryPost(HtmlHelper htmlHelper) : base(htmlHelper.ViewContext) {
+            _htmlHelper = htmlHelper;
+        }
+
+        protected override void Dispose(bool disposing) {
+            _htmlHelper.ViewContext.RequestContext.HttpContext.Response.Write(_htmlHelper.AntiForgeryTokenOrchard());
+
+            base.Dispose(disposing);
+        }
+    }
+}
--- a/src/Orchard/Orchard.csproj
+++ b/src/Orchard/Orchard.csproj
@@ -200,6 +200,7 @@
    <Compile Include="Mvc\Html\ContentItemExtensions.cs" />
    <Compile Include="Mvc\Html\ItemDisplayExtensions.cs" />
    <Compile Include="Mvc\Html\ItemEditorExtensions.cs" />
+    <Compile Include="Mvc\Html\MvcFormAntiForgeryPost.cs" />
    <Compile Include="Mvc\MvcModule.cs" />
    <Compile Include="Mvc\Html\HtmlHelperExtensions.cs" />
    <Compile Include="Mvc\Filters\FilterProvider.cs" />