Applying security fix

http://docs.orchardproject.net/Documentation/Patch-20150519
2025-10-07 16:13:58 +08:00 · 2015-06-30 11:19:14 -07:00
2 changed files with 10 additions and 5 deletions
--- a/src/Orchard.Web/Modules/Orchard.Users/Controllers/AdminController.cs
+++ b/src/Orchard.Web/Modules/Orchard.Users/Controllers/AdminController.cs
@@ -293,6 +293,7 @@ namespace Orchard.Users.Controllers {
            return RedirectToAction("Index");
        }

+        [HttpPost]
        public ActionResult SendChallengeEmail(int id) {
            if (!Services.Authorizer.Authorize(StandardPermissions.SiteOwner, T("Not authorized to manage users")))
                return new HttpUnauthorizedResult();
@@ -313,7 +314,9 @@ namespace Orchard.Users.Controllers {
            return RedirectToAction("Index");
        }

-        public ActionResult Approve(int id) {
+        [HttpPost]
+        public ActionResult Approve(int id)
+        {
            if (!Services.Authorizer.Authorize(StandardPermissions.SiteOwner, T("Not authorized to manage users")))
                return new HttpUnauthorizedResult();

@@ -330,7 +333,9 @@ namespace Orchard.Users.Controllers {
            return RedirectToAction("Index");
        }

-        public ActionResult Moderate(int id) {
+        [HttpPost]
+        public ActionResult Moderate(int id)
+        {
            if (!Services.Authorizer.Authorize(StandardPermissions.SiteOwner, T("Not authorized to manage users")))
                return new HttpUnauthorizedResult();

--- a/src/Orchard.Web/Modules/Orchard.Users/Views/Admin/Index.cshtml
+++ b/src/Orchard.Web/Modules/Orchard.Users/Views/Admin/Index.cshtml
@@ -71,12 +71,12 @@
                    @Html.ActionLink(T("Edit").ToString(), "Edit", new { entry.User.Id }) |
                    @Html.ActionLink(T("Delete").ToString(), "Delete", new { entry.User.Id}, new { itemprop = "RemoveUrl UnsafeUrl" }) |
                    @if (entry.User.RegistrationStatus == UserStatus.Pending) {
-                        @Html.ActionLink(T("Approve").ToString(), "Approve", new { entry.User.Id })
+                        @Html.ActionLink(T("Approve").ToString(), "Approve", new { entry.User.Id }, new { itemprop = "UnsafeUrl" })
                    } else {
-                        @Html.ActionLink(T("Disable").ToString(), "Moderate", new { entry.User.Id })
+                        @Html.ActionLink(T("Disable").ToString(), "Moderate", new { entry.User.Id }, new { itemprop = "UnsafeUrl" })
                    }
                    @if (entry.User.EmailStatus == UserStatus.Pending) { <text>|</text>
-                        @Html.ActionLink(T("Send challenge E-mail").ToString(), "SendChallengeEmail", new { entry.User.Id })
+                        @Html.ActionLink(T("Send challenge E-mail").ToString(), "SendChallengeEmail", new { entry.User.Id }, new { itemprop = "UnsafeUrl" })
                    } 
                </td>
            </tr>