Added AntiForgery token to all blog authenticated http post methods.

--HG-- extra : convert_revision : svn%3A5ff7c347-ad56-4c35-b696-ccb81de16e03/trunk%4044014
2025-10-14 10:54:50 +08:00 · 2009-12-14 18:29:03 +00:00
parent f7c5d33efc
commit b3f694dacd
7 changed files with 49 additions and 13 deletions
--- a/src/Orchard.Web/Packages/Orchard.Blogs/Views/Blog/Create.aspx
+++ b/src/Orchard.Web/Packages/Orchard.Blogs/Views/Blog/Create.aspx
@@ -6,6 +6,9 @@
    <% using (Html.BeginForm()) { %>
        <%=Html.ValidationSummary() %>
        <%=Html.EditorForItem(vm => vm.Blog) %>
-        <fieldset><input class="button" type="submit" value="Create" /></fieldset>
-    <% } %>
+        <fieldset>
+            <%=Html.OrchardAntiForgeryToken() %>
+            <input class="button" type="submit" value="Create" />
+        </fieldset><%
+       } %>
 <% Html.Include("AdminFoot"); %>
--- a/src/Orchard.Web/Packages/Orchard.Blogs/Views/Blog/Edit.aspx
+++ b/src/Orchard.Web/Packages/Orchard.Blogs/Views/Blog/Edit.aspx
@@ -6,6 +6,9 @@
    <% using (Html.BeginForm()) { %>
        <%=Html.ValidationSummary() %>
        <%=Html.EditorForItem(m => m.Blog) %>
-        <fieldset><input class="button" type="submit" value="Save" /></fieldset>
-    <% } %>
+        <fieldset>
+            <%=Html.OrchardAntiForgeryToken() %>
+            <input class="button" type="submit" value="Save" />
+        </fieldset><%
+       } %>
 <% Html.Include("AdminFoot"); %>
--- a/src/Orchard.Web/Packages/Orchard.Blogs/Views/BlogPost/Create.aspx
+++ b/src/Orchard.Web/Packages/Orchard.Blogs/Views/BlogPost/Create.aspx
@@ -1,12 +1,11 @@
 <%@ Page Language="C#" Inherits="System.Web.Mvc.ViewPage<CreateBlogPostViewModel>" %>
+<%@ Import Namespace="Orchard.Mvc.Html"%>
 <%@ Import Namespace="Orchard.Blogs.ViewModels"%>
-<%@ Import Namespace="Orchard.Blogs.Extensions"%>
-<%@ Import Namespace="Orchard.Security" %>
-<%@ Import Namespace="Orchard.Mvc.Html" %>
 <% Html.Include("AdminHead"); %>
    <h2>Add Post</h2>
-    <%using (Html.BeginForm()) { %>
-        <%= Html.ValidationSummary() %>
-        <%= Html.EditorForItem(m => m.BlogPost) %>
-    <% } %>
+    <% using (Html.BeginForm()) { %>
+        <%=Html.ValidationSummary() %>
+        <%=Html.EditorForItem(m => m.BlogPost) %>
+        <%=Html.OrchardAntiForgeryToken() %><%
+       } %>
 <% Html.Include("AdminFoot"); %>
--- a/src/Orchard.Web/Packages/Orchard.Blogs/Views/BlogPost/Edit.aspx
+++ b/src/Orchard.Web/Packages/Orchard.Blogs/Views/BlogPost/Edit.aspx
@@ -1,11 +1,11 @@
 <%@ Page Language="C#" Inherits="System.Web.Mvc.ViewPage<BlogPostEditViewModel>" %>
 <%@ Import Namespace="Orchard.Mvc.Html"%>
-<%@ Import Namespace="Orchard.Blogs.Extensions"%>
 <%@ Import Namespace="Orchard.Blogs.ViewModels"%>
 <% Html.Include("AdminHead"); %>
    <h2>Edit Post</h2>
    <% using (Html.BeginForm()) { %>
        <%=Html.ValidationSummary() %>
        <%=Html.EditorForItem(m => m.BlogPost) %>
-    <% } %>
+        <%=Html.OrchardAntiForgeryToken() %><%
+       } %>
 <% Html.Include("AdminFoot"); %>
--- a/src/Orchard/Mvc/Filters/AntiForgeryAuthorizationFilter.cs
+++ b/src/Orchard/Mvc/Filters/AntiForgeryAuthorizationFilter.cs
@@ -0,0 +1,19 @@
+using System.Web.Mvc;
+
+namespace Orchard.Mvc.Filters {
+    public class AntiForgeryAuthorizationFilter : FilterProvider, IAuthorizationFilter {
+        public void OnAuthorization(AuthorizationContext filterContext) {
+            //TODO: (erikpo) Once all modules are moved over to use the AntiForgeryToken, get rid of this if statement
+            if (!(filterContext.RouteData.Values["area"] is string
+                && (string)filterContext.RouteData.Values["area"] == "Orchard.Blogs"))
+                return;
+            
+            if (!(filterContext.HttpContext.Request.HttpMethod == "POST" && filterContext.RequestContext.HttpContext.Request.IsAuthenticated))
+                return;
+
+            ValidateAntiForgeryTokenAttribute validator = new ValidateAntiForgeryTokenAttribute { Salt = "Orchard" };
+
+            validator.OnAuthorization(filterContext);
+        }
+    }
+}
--- a/src/Orchard/Mvc/Html/HtmlHelperExtensions.cs
+++ b/src/Orchard/Mvc/Html/HtmlHelperExtensions.cs
@@ -175,5 +175,16 @@ namespace Orchard.Mvc.Html {
        }

        #endregion
+
+        #region OrchardAntiForgeryToken
+
+        public static MvcHtmlString OrchardAntiForgeryToken(this HtmlHelper htmlHelper)
+        {
+            //TODO: (erikpo) Change the salt to be something unique per application like a site setting with a Guid.NewGuid().ToString("N") value
+            
+            return htmlHelper.AntiForgeryToken("Orchard");
+        }
+
+        #endregion
    }
 }
--- a/src/Orchard/Orchard.csproj
+++ b/src/Orchard/Orchard.csproj
@@ -196,6 +196,7 @@
    <Compile Include="Models\ViewModels\TemplateViewModel.cs" />
    <Compile Include="Models\ViewModels\ItemDisplayModel.cs" />
    <Compile Include="Models\ViewModels\ItemEditorModel.cs" />
+    <Compile Include="Mvc\Filters\AntiForgeryAuthorizationFilter.cs" />
    <Compile Include="Mvc\Html\ContentItemExtensions.cs" />
    <Compile Include="Mvc\Html\ItemDisplayExtensions.cs" />
    <Compile Include="Mvc\Html\ItemEditorExtensions.cs" />