lsm/Orchard
1
0
Fork 0
mirror of https://github.com/OrchardCMS/Orchard.git synced 2025-10-15 19:54:57 +08:00
Code Issues Actions 4 Packages Projects Releases Wiki Activity

Added AntiForgery token to all blog authenticated http post methods.

Browse Source 
--HG--
extra : convert_revision : svn%3A5ff7c347-ad56-4c35-b696-ccb81de16e03/trunk%4044014
This commit is contained in:
ErikPorter
2009-12-14 18:29:03 +00:00
parent f7c5d33efc
commit b3f694dacd
7 changed files with 49 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/Orchard.Web/Packages/Orchard.Blogs/Views/Blog/Create.aspx
View File

@@ -6,6 +6,9 @@
<% using (Html.BeginForm()) { %> <% using (Html.BeginForm()) { %>
<%=Html.ValidationSummary() %> <%=Html.ValidationSummary() %>
<%=Html.EditorForItem(vm => vm.Blog) %> <%=Html.EditorForItem(vm => vm.Blog) %>
<fieldset><input class="button" type="submit" value="Create" /></fieldset> <fieldset>
<% } %> <%=Html.OrchardAntiForgeryToken() %>
<input class="button" type="submit" value="Create" />
</fieldset><%
} %>
<% Html.Include("AdminFoot"); %> <% Html.Include("AdminFoot"); %>

7
src/Orchard.Web/Packages/Orchard.Blogs/Views/Blog/Edit.aspx
View File

@@ -6,6 +6,9 @@
<% using (Html.BeginForm()) { %> <% using (Html.BeginForm()) { %>
<%=Html.ValidationSummary() %> <%=Html.ValidationSummary() %>
<%=Html.EditorForItem(m => m.Blog) %> <%=Html.EditorForItem(m => m.Blog) %>
<fieldset><input class="button" type="submit" value="Save" /></fieldset> <fieldset>
<% } %> <%=Html.OrchardAntiForgeryToken() %>
<input class="button" type="submit" value="Save" />
</fieldset><%
} %>
<% Html.Include("AdminFoot"); %> <% Html.Include("AdminFoot"); %>

13
src/Orchard.Web/Packages/Orchard.Blogs/Views/BlogPost/Create.aspx
View File

@@ -1,12 +1,11 @@
<%@ Page Language="C#" Inherits="System.Web.Mvc.ViewPage<CreateBlogPostViewModel>" %> <%@ Page Language="C#" Inherits="System.Web.Mvc.ViewPage<CreateBlogPostViewModel>" %>
<%@ Import Namespace="Orchard.Mvc.Html"%>
<%@ Import Namespace="Orchard.Blogs.ViewModels"%> <%@ Import Namespace="Orchard.Blogs.ViewModels"%>
<%@ Import Namespace="Orchard.Blogs.Extensions"%>
<%@ Import Namespace="Orchard.Security" %>
<%@ Import Namespace="Orchard.Mvc.Html" %>
<% Html.Include("AdminHead"); %> <% Html.Include("AdminHead"); %>
<h2>Add Post</h2> <h2>Add Post</h2>
<%using (Html.BeginForm()) { %> <% using (Html.BeginForm()) { %>
<%= Html.ValidationSummary() %> <%=Html.ValidationSummary() %>
<%= Html.EditorForItem(m => m.BlogPost) %> <%=Html.EditorForItem(m => m.BlogPost) %>
<% } %> <%=Html.OrchardAntiForgeryToken() %><%
} %>
<% Html.Include("AdminFoot"); %> <% Html.Include("AdminFoot"); %>

4
src/Orchard.Web/Packages/Orchard.Blogs/Views/BlogPost/Edit.aspx
View File

@@ -1,11 +1,11 @@
<%@ Page Language="C#" Inherits="System.Web.Mvc.ViewPage<BlogPostEditViewModel>" %> <%@ Page Language="C#" Inherits="System.Web.Mvc.ViewPage<BlogPostEditViewModel>" %>
<%@ Import Namespace="Orchard.Mvc.Html"%> <%@ Import Namespace="Orchard.Mvc.Html"%>
<%@ Import Namespace="Orchard.Blogs.Extensions"%>
<%@ Import Namespace="Orchard.Blogs.ViewModels"%> <%@ Import Namespace="Orchard.Blogs.ViewModels"%>
<% Html.Include("AdminHead"); %> <% Html.Include("AdminHead"); %>
<h2>Edit Post</h2> <h2>Edit Post</h2>
<% using (Html.BeginForm()) { %> <% using (Html.BeginForm()) { %>
<%=Html.ValidationSummary() %> <%=Html.ValidationSummary() %>
<%=Html.EditorForItem(m => m.BlogPost) %> <%=Html.EditorForItem(m => m.BlogPost) %>
<% } %> <%=Html.OrchardAntiForgeryToken() %><%
} %>
<% Html.Include("AdminFoot"); %> <% Html.Include("AdminFoot"); %>

19
src/Orchard/Mvc/Filters/AntiForgeryAuthorizationFilter.cs Normal file
View File

@@ -0,0 +1,19 @@
using System.Web.Mvc;
namespace Orchard.Mvc.Filters {
public class AntiForgeryAuthorizationFilter : FilterProvider, IAuthorizationFilter {
public void OnAuthorization(AuthorizationContext filterContext) {
//TODO: (erikpo) Once all modules are moved over to use the AntiForgeryToken, get rid of this if statement
if (!(filterContext.RouteData.Values["area"] is string
&& (string)filterContext.RouteData.Values["area"] == "Orchard.Blogs"))
return;
if (!(filterContext.HttpContext.Request.HttpMethod == "POST" && filterContext.RequestContext.HttpContext.Request.IsAuthenticated))
return;
ValidateAntiForgeryTokenAttribute validator = new ValidateAntiForgeryTokenAttribute { Salt = "Orchard" };
validator.OnAuthorization(filterContext);
}
}
}

11
src/Orchard/Mvc/Html/HtmlHelperExtensions.cs
View File

@@ -175,5 +175,16 @@ namespace Orchard.Mvc.Html {
} }
#endregion #endregion
#region OrchardAntiForgeryToken
public static MvcHtmlString OrchardAntiForgeryToken(this HtmlHelper htmlHelper)
{
//TODO: (erikpo) Change the salt to be something unique per application like a site setting with a Guid.NewGuid().ToString("N") value
return htmlHelper.AntiForgeryToken("Orchard");
}
#endregion
} }
} }

1
src/Orchard/Orchard.csproj
View File

@@ -196,6 +196,7 @@
<Compile Include="Models\ViewModels\TemplateViewModel.cs" /> <Compile Include="Models\ViewModels\TemplateViewModel.cs" />
<Compile Include="Models\ViewModels\ItemDisplayModel.cs" /> <Compile Include="Models\ViewModels\ItemDisplayModel.cs" />
<Compile Include="Models\ViewModels\ItemEditorModel.cs" /> <Compile Include="Models\ViewModels\ItemEditorModel.cs" />
<Compile Include="Mvc\Filters\AntiForgeryAuthorizationFilter.cs" />
<Compile Include="Mvc\Html\ContentItemExtensions.cs" /> <Compile Include="Mvc\Html\ContentItemExtensions.cs" />
<Compile Include="Mvc\Html\ItemDisplayExtensions.cs" /> <Compile Include="Mvc\Html\ItemDisplayExtensions.cs" />
<Compile Include="Mvc\Html\ItemEditorExtensions.cs" /> <Compile Include="Mvc\Html\ItemEditorExtensions.cs" />