Converted LogOn, LogOff, AccessDenied to use the new FollowReturnUrl attribute

--HG--
branch : dev

src/Orchard.Web/Modules/Orchard.Users/Controllers/AccountController.cs

@@ -5,6 +5,7 @@ using System.Security.Principal;
 using System.Web.Mvc;
 using System.Web.Security;
 using Orchard.Logging;
+using Orchard.Mvc.FollowReturnUrl;
 using Orchard.Mvc.ViewModels;
 using Orchard.Security;
 using Orchard.Users.Services;
@@ -17,7 +18,6 @@ namespace Orchard.Users.Controllers {
         private readonly IMembershipService _membershipService;
         private readonly IUserService _userService;
 
-
         public AccountController(
             IAuthenticationService authenticationService, 
             IMembershipService membershipService,
@@ -30,46 +30,47 @@ namespace Orchard.Users.Controllers {
 
         public ILogger Logger { get; set; }
 
-        public ActionResult AccessDenied(string returnUrl) {
+        public ActionResult AccessDenied() {
+            var returnUrl = Request.QueryString["ReturnUrl"];
             var currentUser = _authenticationService.GetAuthenticatedUser();
 
             if (currentUser == null) {
                 Logger.Information("Access denied to anonymous request on {0}", returnUrl);
-                return View("LogOn", new LogOnViewModel { Title = "Access Denied", ReturnUrl = returnUrl });
+                return View("LogOn", new LogOnViewModel {Title = "Access Denied"});
             }
 
+            //TODO: (erikpo) Add a setting for whether or not to log access denieds since these can fill up a database pretty fast from bots on a high traffic site
             Logger.Information("Access denied to user #{0} '{1}' on {2}", currentUser.Id, currentUser.UserName, returnUrl);
+
             return View(new BaseViewModel());
         }
 
-        public ActionResult LogOn(string returnUrl) {
-            if(_authenticationService.GetAuthenticatedUser() != null)
+        public ActionResult LogOn() {
+            if (_authenticationService.GetAuthenticatedUser() != null)
                 return Redirect("~/");
-            return View("LogOn", new LogOnViewModel { Title = "Log On", ReturnUrl = returnUrl });
+
+            return View("LogOn", new LogOnViewModel {Title = "Log On"});
         }
 
-        [HttpPost]
+        [HttpPost, FollowReturnUrl]
         [SuppressMessage("Microsoft.Design", "CA1054:UriParametersShouldNotBeStrings",
             Justification = "Needs to take same parameter type as Controller.Redirect()")]
-        public ActionResult LogOn(string userName, string password, bool rememberMe, string returnUrl) {
+        public ActionResult LogOn(string userName, string password, bool rememberMe) {
             var user = ValidateLogOn(userName, password);
             if (!ModelState.IsValid) {
-                return View("LogOn", new LogOnViewModel { Title = "Log On", ReturnUrl = returnUrl });
+                return View("LogOn", new LogOnViewModel {Title = "Log On"});
             }
 
             _authenticationService.SignIn(user, rememberMe);
 
-            return !String.IsNullOrEmpty(returnUrl)
-                ? Redirect(returnUrl)
-                : Redirect("~/");
+            return Redirect("~/");
         }
 
-        public ActionResult LogOff(string returnUrl) {
+        [FollowReturnUrl]
+        public ActionResult LogOff() {
             _authenticationService.SignOut();
 
-            return !String.IsNullOrEmpty(returnUrl)
-                ? Redirect(returnUrl)
-                : Redirect("~/");
+            return Redirect("~/");
         }
 
         int MinPasswordLength {

src/Orchard.Web/Modules/Orchard.Users/ViewModels/LogOnViewModel.cs

@@ -1,10 +1,7 @@
-using System;
-using Orchard.Mvc.ViewModels;
+using Orchard.Mvc.ViewModels;
 
 namespace Orchard.Users.ViewModels {
     public class LogOnViewModel : BaseViewModel {
         public string Title { get; set; }
-
-        public string ReturnUrl { get; set; }
     }
 }

src/Orchard.Web/Modules/Orchard.Users/Views/Account/LogOn.ascx

@@ -3,25 +3,23 @@
 <h1><%=Html.TitleForPage(Model.Title)%></h1>
 <p><%=_Encoded("Please enter your username and password.")%> <%= Html.ActionLink("Register", "Register")%><%=_Encoded(" if you don't have an account.")%></p>
 <%= Html.ValidationSummary(T("Login was unsuccessful. Please correct the errors and try again.").ToString())%>
-<% using (Html.BeginForm(new { Action = "LogOn" }))
-   { %>
-    <fieldset>
-        <legend><%=_Encoded("Account Information")%></legend>
-        <div>
-            <label for="username"><%=_Encoded("Username:")%></label>
-            <%= Html.TextBox("username")%>
-            <%= Html.ValidationMessage("username")%>
-        </div>
-        <div>
-            <label for="password"><%=_Encoded("Password:")%></label>
-            <%= Html.Password("password")%>
-            <%= Html.ValidationMessage("password")%>
-        </div>
-        <div>
-            <%= Html.CheckBox("rememberMe")%><label class="forcheckbox" for="rememberMe"><%=_Encoded("Remember me?")%></label>
-        </div>
-            <%=Html.HiddenFor(m => m.ReturnUrl)%>
-            <%=Html.AntiForgeryTokenOrchard()%>
-            <input type="submit" value="<%=_Encoded("Log On") %>" />
-    </fieldset>
-<% } %>
+<%
+using (Html.BeginFormAntiForgeryPost(Url.Action("LogOn", new {ReturnUrl = Request.QueryString["ReturnUrl"]}))) { %>
+<fieldset>
+    <legend><%=_Encoded("Account Information")%></legend>
+    <div>
+        <label for="username"><%=_Encoded("Username:")%></label>
+        <%= Html.TextBox("username")%>
+        <%= Html.ValidationMessage("username")%>
+    </div>
+    <div>
+        <label for="password"><%=_Encoded("Password:")%></label>
+        <%= Html.Password("password")%>
+        <%= Html.ValidationMessage("password")%>
+    </div>
+    <div>
+        <%= Html.CheckBox("rememberMe")%><label class="forcheckbox" for="rememberMe"><%=_Encoded("Remember me?")%></label>
+    </div>
+    <input type="submit" value="<%=_Encoded("Log On") %>" />
+</fieldset><%
+} %>