From fd2b62437f1d1ac9593408b0232095b127167814 Mon Sep 17 00:00:00 2001 From: skewed Date: Wed, 23 Dec 2009 16:30:15 +0000 Subject: [PATCH] - Some AntiForgeryToken work including making used of SiteSalt - Moving all* BeginForm usage to BeginFormAntiForgeryPost *except for "complicated" BeginForms that get an AntiForgeryTokenOrchard inserted manually - Some page title cleanup (mainly in the admin) --HG-- extra : convert_revision : svn%3A5ff7c347-ad56-4c35-b696-ccb81de16e03/trunk%4044508 --- .../Filters/AntiForgeryAuthorizationFilter.cs | 25 +++ .../Mvc/Html/AntiForgeryTokenExtensions.cs | 15 ++ .../Common/Mvc/Html/BeginFormExtensions.cs | 35 ++++ .../Mvc/Html/MvcFormAntiForgeryPost.cs | 2 +- src/Orchard.Web/Core/Orchard.Core.csproj | 4 + .../Settings/Records/SiteSettingsRecord.cs | 1 + .../Core/Settings/Services/SiteService.cs | 6 +- .../Core/Settings/Views/Admin/Index.aspx | 1 - .../Core/Themes/Views/Admin/Index.aspx | 3 +- .../Core/Themes/Views/Admin/Install.aspx | 4 +- src/Orchard.Web/Core/Themes/Views/layout.ascx | 3 +- src/Orchard.Web/Core/Web.config | 2 + .../Orchard.Blogs/Views/Blog/Create.ascx | 4 +- .../Orchard.Blogs/Views/Blog/Edit.ascx | 4 +- .../Orchard.Blogs/Views/Blog/Item.ascx | 1 - .../Orchard.Blogs/Views/Blog/List.ascx | 1 - .../Orchard.Blogs/Views/BlogAdmin/Item.ascx | 1 - .../Orchard.Blogs/Views/BlogAdmin/List.ascx | 4 +- .../Orchard.Blogs/Views/BlogPost/Create.ascx | 4 +- .../Orchard.Blogs/Views/BlogPost/Edit.ascx | 4 +- .../Orchard.Blogs/Views/BlogPost/Item.ascx | 1 - .../Items/Blogs.Blog.DetailAdmin.ascx | 1 - .../Items/Blogs.Blog.Summary.ascx | 1 - .../DisplayTemplates/Items/Blogs.Blog.ascx | 1 - .../Items/Blogs.BlogPost.ascx | 1 - .../Parts/Blogs.BlogPost.List.ascx | 1 - .../EditorTemplates/Items/Blogs.Blog.ascx | 1 - .../EditorTemplates/Items/Blogs.BlogPost.ascx | 1 - .../Packages/Orchard.Blogs/Web.config | 2 + .../Views/Admin/BulkDeleteConfirm.aspx | 3 +- .../Views/Admin/BulkPublishLater.aspx | 3 +- .../Views/Admin/ChooseTemplate.aspx | 3 +- .../Orchard.CmsPages/Views/Admin/Create.aspx | 3 +- .../Orchard.CmsPages/Views/Admin/Edit.aspx | 5 +- .../Orchard.CmsPages/Views/Admin/Export.aspx | 3 +- .../Orchard.CmsPages/Views/Admin/Index.aspx | 3 +- .../Views/Templates/ThreeColumns.aspx | 1 - .../Views/Templates/TwoColumns.aspx | 1 - .../Packages/Orchard.CmsPages/Web.config | 2 + .../Orchard.Comments/Orchard.Comments.csproj | 4 + .../Orchard.Comments/Views/Admin/Create.aspx | 7 +- .../Orchard.Comments/Views/Admin/Details.aspx | 12 +- .../Orchard.Comments/Views/Admin/Edit.aspx | 5 +- .../Orchard.Comments/Views/Admin/Index.aspx | 12 +- .../Parts/Comments.Count.ascx | 1 - .../Parts/Comments.HasComments.ascx | 2 +- .../Packages/Orchard.Comments/Web.config | 2 + .../Views/Content/Details.aspx | 1 - .../Orchard.DevTools/Views/Content/Index.aspx | 1 - .../Orchard.DevTools/Views/Home/Index.aspx | 1 - .../Packages/Orchard.DevTools/Web.config | 1 + .../Orchard.Media/Views/Admin/Add.aspx | 4 +- .../Orchard.Media/Views/Admin/Create.aspx | 3 +- .../Orchard.Media/Views/Admin/Edit.aspx | 7 +- .../Orchard.Media/Views/Admin/EditMedia.aspx | 3 +- .../Views/Admin/EditProperties.aspx | 9 +- .../Orchard.Media/Views/Admin/Index.aspx | 7 +- .../Packages/Orchard.Media/Web.config | 2 + .../Orchard.Roles/Orchard.Roles.csproj | 4 + .../Orchard.Roles/Views/Admin/Create.aspx | 3 +- .../Orchard.Roles/Views/Admin/Edit.aspx | 5 +- .../Orchard.Roles/Views/Admin/Index.aspx | 5 +- .../Packages/Orchard.Roles/Web.config | 2 + .../Items/Sandbox.Page.Summary.ascx | 1 - .../DisplayTemplates/Items/Sandbox.Page.ascx | 1 - .../Parts/Sandbox.Page.Title.ascx | 1 - .../EditorTemplates/Items/Sandbox.Page.ascx | 1 - .../Orchard.Sandbox/Views/Page/Create.aspx | 2 - .../Orchard.Sandbox/Views/Page/Edit.aspx | 2 - .../Orchard.Sandbox/Views/Page/Index.aspx | 1 - .../Orchard.Sandbox/Views/Page/Show.aspx | 1 - .../Packages/Orchard.Sandbox/Web.config | 2 + .../Packages/Orchard.Tags/Orchard.Tags.csproj | 4 + .../Orchard.Tags/Views/Admin/Create.aspx | 12 +- .../Orchard.Tags/Views/Admin/Edit.aspx | 9 +- .../Orchard.Tags/Views/Admin/Index.aspx | 12 +- .../Orchard.Tags/Views/Admin/Search.aspx | 5 +- .../DisplayTemplates/Parts/Tags.ShowTags.ascx | 1 - .../EditorTemplates/Parts/Tags.EditTags.ascx | 1 - .../Orchard.Tags/Views/Home/Index.aspx | 1 - .../Orchard.Tags/Views/Home/Search.aspx | 1 - .../Packages/Orchard.Tags/Web.config | 2 + .../Orchard.Users/Orchard.Users.csproj | 4 + .../Orchard.Users/Views/Admin/Create.aspx | 4 +- .../Orchard.Users/Views/Admin/Edit.aspx | 21 +-- .../Orchard.Users/Views/Admin/Index.aspx | 3 +- .../EditorTemplates/Items/Users.User.ascx | 1 - .../Packages/Orchard.Users/Web.config | 2 + .../Packages/TinyMce/TinyMce.csproj | 3 + .../EditorTemplates/TinyMceTextEditor.ascx | 2 - src/Orchard.Web/Packages/TinyMce/Web.config | 154 ++++++++++++++++++ .../Themes/Orange/Views/layout.ascx | 3 +- .../Themes/TheAdmin/Views/layout.ascx | 3 +- .../Views/Account/ChangePassword.ascx | 4 +- .../Views/Account/ChangePasswordSuccess.ascx | 4 +- src/Orchard.Web/Views/Account/LogOn.ascx | 8 +- src/Orchard.Web/Views/Account/Register.ascx | 13 +- src/Orchard.Web/Views/Home/About.ascx | 4 +- src/Orchard.Web/Views/Home/Index.ascx | 2 - src/Orchard.Web/Views/Shared/Error.aspx | 2 +- .../Views/Templates/ThreeColumns.aspx | 1 - .../Views/Templates/TwoColumns.aspx | 1 - src/Orchard.Web/Web.config | 2 + .../Filters/AntiForgeryAuthorizationFilter.cs | 15 -- src/Orchard/Mvc/Html/HtmlHelperExtensions.cs | 38 ----- src/Orchard/Orchard.csproj | 2 - 106 files changed, 372 insertions(+), 248 deletions(-) create mode 100644 src/Orchard.Web/Core/Common/Mvc/Filters/AntiForgeryAuthorizationFilter.cs create mode 100644 src/Orchard.Web/Core/Common/Mvc/Html/AntiForgeryTokenExtensions.cs create mode 100644 src/Orchard.Web/Core/Common/Mvc/Html/BeginFormExtensions.cs rename src/{Orchard => Orchard.Web/Core/Common}/Mvc/Html/MvcFormAntiForgeryPost.cs (89%) create mode 100644 src/Orchard.Web/Packages/TinyMce/Web.config delete mode 100644 src/Orchard/Mvc/Filters/AntiForgeryAuthorizationFilter.cs diff --git a/src/Orchard.Web/Core/Common/Mvc/Filters/AntiForgeryAuthorizationFilter.cs b/src/Orchard.Web/Core/Common/Mvc/Filters/AntiForgeryAuthorizationFilter.cs new file mode 100644 index 000000000..387f5f6f7 --- /dev/null +++ b/src/Orchard.Web/Core/Common/Mvc/Filters/AntiForgeryAuthorizationFilter.cs @@ -0,0 +1,25 @@ +using System.Web.Mvc; +using Orchard.ContentManagement; +using Orchard.Core.Settings.Models; +using Orchard.Mvc.Filters; +using Orchard.Settings; + +namespace Orchard.Core.Common.Mvc.Filters { + public class AntiForgeryAuthorizationFilter : FilterProvider, IAuthorizationFilter { + private readonly ISiteService _siteService; + + public AntiForgeryAuthorizationFilter(ISiteService siteService) { + _siteService = siteService; + } + + public void OnAuthorization(AuthorizationContext filterContext) { + if (!(filterContext.HttpContext.Request.HttpMethod == "POST" && filterContext.RequestContext.HttpContext.Request.IsAuthenticated)) + return; + + var siteSalt = _siteService.GetSiteSettings().ContentItem.As().Record.SiteSalt; + ValidateAntiForgeryTokenAttribute validator = new ValidateAntiForgeryTokenAttribute { Salt = siteSalt }; + + validator.OnAuthorization(filterContext); + } + } +} \ No newline at end of file diff --git a/src/Orchard.Web/Core/Common/Mvc/Html/AntiForgeryTokenExtensions.cs b/src/Orchard.Web/Core/Common/Mvc/Html/AntiForgeryTokenExtensions.cs new file mode 100644 index 000000000..6dff6a9c0 --- /dev/null +++ b/src/Orchard.Web/Core/Common/Mvc/Html/AntiForgeryTokenExtensions.cs @@ -0,0 +1,15 @@ +using System.Web.Mvc; +using Orchard.ContentManagement; +using Orchard.Core.Settings.Models; +using Orchard.Mvc.Html; +using Orchard.Settings; + +namespace Orchard.Core.Common.Mvc.Html { + public static class AntiForgeryTokenExtensions { + public static MvcHtmlString AntiForgeryTokenOrchard(this HtmlHelper htmlHelper) + { + var siteSalt = htmlHelper.Resolve().GetSiteSettings().ContentItem.As().Record.SiteSalt; + return htmlHelper.AntiForgeryToken(siteSalt); + } + } +} \ No newline at end of file diff --git a/src/Orchard.Web/Core/Common/Mvc/Html/BeginFormExtensions.cs b/src/Orchard.Web/Core/Common/Mvc/Html/BeginFormExtensions.cs new file mode 100644 index 000000000..490af896a --- /dev/null +++ b/src/Orchard.Web/Core/Common/Mvc/Html/BeginFormExtensions.cs @@ -0,0 +1,35 @@ +using System.Collections.Generic; +using System.Web.Mvc; +using System.Web.Mvc.Html; +using System.Web.Routing; + +namespace Orchard.Core.Common.Mvc.Html { + public static class BeginFormExtensions { + public static MvcForm BeginFormAntiForgeryPost(this HtmlHelper htmlHelper) + { + return htmlHelper.BeginFormAntiForgeryPost(htmlHelper.ViewContext.HttpContext.Request.RawUrl, FormMethod.Post, new RouteValueDictionary()); + } + //TODO: (erikpo) Uncomment when needed (not currently needed) + //public static MvcForm BeginFormAntiForgeryPost(this HtmlHelper htmlHelper, string formAction) { + // return htmlHelper.BeginFormAntiForgeryPost(formAction, FormMethod.Post, new RouteValueDictionary()); + //} + //public static MvcForm BeginFormAntiForgeryPost(this HtmlHelper htmlHelper, string formAction, FormMethod formMethod) { + // return htmlHelper.BeginFormAntiForgeryPost(formAction, formMethod, new RouteValueDictionary()); + //} + //public static MvcForm BeginFormAntiForgeryPost(this HtmlHelper htmlHelper, string formAction, FormMethod formMethod, object htmlAttributes) { + // return htmlHelper.BeginFormAntiForgeryPost(formAction, formMethod, new RouteValueDictionary(htmlAttributes)); + //} + public static MvcForm BeginFormAntiForgeryPost(this HtmlHelper htmlHelper, string formAction, FormMethod formMethod, IDictionary htmlAttributes) + { + TagBuilder tagBuilder = new TagBuilder("form"); + + tagBuilder.MergeAttributes(htmlAttributes); + tagBuilder.MergeAttribute("action", formAction); + tagBuilder.MergeAttribute("method", HtmlHelper.GetFormMethodString(formMethod), true); + + htmlHelper.ViewContext.HttpContext.Response.Output.Write(tagBuilder.ToString(TagRenderMode.StartTag)); + + return new MvcFormAntiForgeryPost(htmlHelper); + } + } +} \ No newline at end of file diff --git a/src/Orchard/Mvc/Html/MvcFormAntiForgeryPost.cs b/src/Orchard.Web/Core/Common/Mvc/Html/MvcFormAntiForgeryPost.cs similarity index 89% rename from src/Orchard/Mvc/Html/MvcFormAntiForgeryPost.cs rename to src/Orchard.Web/Core/Common/Mvc/Html/MvcFormAntiForgeryPost.cs index bcc26fa91..b1b90b66d 100644 --- a/src/Orchard/Mvc/Html/MvcFormAntiForgeryPost.cs +++ b/src/Orchard.Web/Core/Common/Mvc/Html/MvcFormAntiForgeryPost.cs @@ -1,7 +1,7 @@ using System.Web.Mvc; using System.Web.Mvc.Html; -namespace Orchard.Mvc.Html { +namespace Orchard.Core.Common.Mvc.Html { public class MvcFormAntiForgeryPost : MvcForm { private readonly HtmlHelper _htmlHelper; diff --git a/src/Orchard.Web/Core/Orchard.Core.csproj b/src/Orchard.Web/Core/Orchard.Core.csproj index f11695d4e..a7b515d17 100644 --- a/src/Orchard.Web/Core/Orchard.Core.csproj +++ b/src/Orchard.Web/Core/Orchard.Core.csproj @@ -62,6 +62,10 @@ + + + + diff --git a/src/Orchard.Web/Core/Settings/Records/SiteSettingsRecord.cs b/src/Orchard.Web/Core/Settings/Records/SiteSettingsRecord.cs index 97fa097f2..6a0e85af4 100644 --- a/src/Orchard.Web/Core/Settings/Records/SiteSettingsRecord.cs +++ b/src/Orchard.Web/Core/Settings/Records/SiteSettingsRecord.cs @@ -2,6 +2,7 @@ namespace Orchard.Core.Settings.Records { public class SiteSettingsRecord : ContentPartRecord { + public virtual string SiteSalt { get; set; } public virtual string SiteUrl { get; set; } public virtual string SiteName { get; set; } public virtual string SuperUser { get; set; } diff --git a/src/Orchard.Web/Core/Settings/Services/SiteService.cs b/src/Orchard.Web/Core/Settings/Services/SiteService.cs index c82b96cfb..23d22a8df 100644 --- a/src/Orchard.Web/Core/Settings/Services/SiteService.cs +++ b/src/Orchard.Web/Core/Settings/Services/SiteService.cs @@ -1,4 +1,5 @@ -using System.Linq; +using System; +using System.Linq; using Orchard.Core.Settings.Models; using Orchard.Core.Settings.Records; using Orchard.Data; @@ -27,8 +28,9 @@ namespace Orchard.Core.Settings.Services { SiteSettingsRecord record = _siteSettingsRepository.Fetch(x => x.SiteUrl == applicationPath).FirstOrDefault(); if (record == null) { ISite site = _contentManager.Create("site", item => { - item.Record.SiteName = "My Orchard Project Application"; + item.Record.SiteSalt = Guid.NewGuid().ToString("N"); item.Record.SiteUrl = applicationPath; + item.Record.SiteName = "My Orchard Project Application"; item.Record.PageTitleSeparator = " - "; }); return site; diff --git a/src/Orchard.Web/Core/Settings/Views/Admin/Index.aspx b/src/Orchard.Web/Core/Settings/Views/Admin/Index.aspx index c6cbc2c6a..68c67195a 100644 --- a/src/Orchard.Web/Core/Settings/Views/Admin/Index.aspx +++ b/src/Orchard.Web/Core/Settings/Views/Admin/Index.aspx @@ -1,5 +1,4 @@ <%@ Page Language="C#" Inherits="System.Web.Mvc.ViewPage" %> -<%@ Import Namespace="Orchard.Mvc.Html" %>

<%=Html.TitleForPage("Edit Settings")%>

<%using (Html.BeginFormAntiForgeryPost()) { %> <%= Html.ValidationSummary() %> diff --git a/src/Orchard.Web/Core/Themes/Views/Admin/Index.aspx b/src/Orchard.Web/Core/Themes/Views/Admin/Index.aspx index 80fb041b1..8fdedf6ae 100644 --- a/src/Orchard.Web/Core/Themes/Views/Admin/Index.aspx +++ b/src/Orchard.Web/Core/Themes/Views/Admin/Index.aspx @@ -1,7 +1,6 @@ <%@ Page Language="C#" Inherits="System.Web.Mvc.ViewPage" %> <%@ Import Namespace="Orchard.Core.Themes.ViewModels"%> -<%@ Import Namespace="Orchard.Mvc.Html"%> -

Manage Themes

+

<%=Html.TitleForPage("Manage Themes") %>

Current Theme

<% if (Model.CurrentTheme == null) { %>

There is no current theme in the application. The built-in theme will be used.
<%=Html.ActionLink("Install a new Theme", "Install") %>

<% diff --git a/src/Orchard.Web/Core/Themes/Views/Admin/Install.aspx b/src/Orchard.Web/Core/Themes/Views/Admin/Install.aspx index 29fd1baa6..eb47917e4 100644 --- a/src/Orchard.Web/Core/Themes/Views/Admin/Install.aspx +++ b/src/Orchard.Web/Core/Themes/Views/Admin/Install.aspx @@ -1,11 +1,11 @@ <%@ Page Language="C#" Inherits="System.Web.Mvc.ViewPage" %> -<%@ Import Namespace="Orchard.Mvc.Html"%> -

Install Theme

+

<%=Html.TitleForPage("Install Theme") %>

<% using (Html.BeginForm("Install", "Admin", FormMethod.Post, new { enctype = "multipart/form-data" })) {%> <%= Html.ValidationSummary() %>

+ <%=Html.AntiForgeryTokenOrchard() %>
<% } %> \ No newline at end of file diff --git a/src/Orchard.Web/Core/Themes/Views/layout.ascx b/src/Orchard.Web/Core/Themes/Views/layout.ascx index 4e919201c..866c44c59 100644 --- a/src/Orchard.Web/Core/Themes/Views/layout.ascx +++ b/src/Orchard.Web/Core/Themes/Views/layout.ascx @@ -1,6 +1,5 @@ <%@ Control Language="C#" Inherits="System.Web.Mvc.ViewUserControl" %> -<%@ Import Namespace="Orchard.Mvc.ViewModels"%> -<%@ Import Namespace="Orchard.Mvc.Html" %><% +<%@ Import Namespace="Orchard.Mvc.ViewModels"%><% Html.RegisterStyle("site.css"); %>