Permalink
Browse files

Added antiforgery to all forms that change data, but not the search f…

…orm. Fixes issue #37
  • Loading branch information...
1 parent 698ea26 commit 12e73081385efb154f494f3e2e29c3559726ba22 @Haacked Haacked committed Aug 24, 2011
@@ -96,7 +96,7 @@ public partial class PackagesController : Controller {
});
}
- [Authorize, HttpPost]
+ [Authorize, HttpPost, ValidateAntiForgeryToken]
public virtual ActionResult PublishPackage(string id, string version) {
// TODO: handle requesting to verify a package that is already verified; return 404?
var package = packageSvc.FindPackageByIdAndVersion(id, version);
@@ -75,7 +75,7 @@ public partial class UsersController : Controller {
return View(model);
}
- [Authorize]
+ [Authorize, ValidateAntiForgeryToken]
public virtual ActionResult GenerateApiKey() {
userService.GenerateApiKey(HttpContext.User.Identity.Name);
return RedirectToAction(MVC.Users.Account());
@@ -94,6 +94,7 @@
<input class="long disabled" disabled id="ProjectUrl" name="ProjectUrl" type="url" value="@Model.ProjectUrl" />
</div>
<div class="buttons">
+ @Html.AntiForgeryToken()
<input id="packageEditSubmitButton" type="submit" value="Verify" singleClickButton="true" />
</div>
</form>
@@ -26,58 +26,20 @@
</ul>
</header>
<div id="form">
- <div id="uploadFileForm" class="selected">
- <form id="uploadFileSubmissionForm" method="post" action="@Url.Current()" enctype="multipart/form-data">
- @Html.AntiForgeryToken()
- @Html.ValidationSummary(true)
- <aside>
- <p>Your package file will be uploaded and hosted on the gallery server.</p>
- </aside>
- <input type="file" id="PackageFile" name="PackageFile" />
- <div class="buttons">
- <input id="uploadFileButton" type="submit" value="Upload &raquo;" singleClickButton="true" />
- </div>
- </form>
- </div>
- </div>
- @*<div id="form">
- <div>
- <aside style="margin-top: 20px;width: 280px;">
- <p> First, make sure your module or theme is packaged correctly and ready for upload from your local computer or for retrieval from your web site. <a href="#">Learn more about creating a theme or module.</a></p>
- </aside>
- <div>
- <span class="radioButton" onclick="ShowHideUploadForm('uploadFileForm','externalPackageForm')">
- <input id="Radio1" type="radio" name="UploadType" checked="checked" />
- <label for="Radio1" class="optionLabel">Upload a package file from my local computer</label>
- </span>
- <span class="radioButton" onclick="ShowHideUploadForm('externalPackageForm','uploadFileForm')">
- <input id="Radio2" type="radio" name="UploadType" />
- <label for="Radio2" class="optionLabel">Submit a URL to a package file located on my web site</label>
- </span>
- </div>
- </div>
<div id="uploadFileForm" class="selected">
- <form action="/Orchard.Gallery/UploadPackage/Upload" enctype="multipart/form-data" id="uploadFileSubmissionForm" method="post">
+ <form id="uploadFileSubmissionForm" method="post" action="@Url.Current()" enctype="multipart/form-data">
+ @Html.AntiForgeryToken()
+ @Html.ValidationSummary(true)
<aside>
<p>Your package file will be uploaded and hosted on the gallery server.</p>
</aside>
<input type="file" id="PackageFile" name="PackageFile" />
<div class="buttons">
- <input id="uploadFileButton" type="button" value="Upload &raquo;" singleClickButton="true" />
+ <input id="uploadFileButton" type="submit" value="Upload &raquo;" singleClickButton="true" />
</div>
- <input name="__RequestVerificationToken" type="hidden" value="jACz38O1R6iFai86z3tyKle12MU5aARUC1DLW0UwoOjfvfJFxcaOAqhun59XqlsVOB4ZAKkfSBVlUcEBLvSBHNQfPZTCgzkcoB/u74gVZfH9mRCx2+NsX6UaTpjCKA0iyJwcLNmcleNlY19irlvHwQ==" />
</form>
</div>
- <div id="externalPackageForm" style="display:none" class="selected">
- <form action="/Orchard.Gallery/UploadPackage/ExternalUrl" id="externalPackageSubmissionForm" method="post">
- <aside>
- <p>Use this option if want to host the package file yourself. Your package data will still appear on the gallery like any other, but requests to download the package will be redirected to your site.</p>
- </aside>
- <input id="externalPackageUrl" name="externalPackageUrl" type="text" value="" /> <div class="buttons">
- <input id="submitExternalPackageButton" type="button" value="Submit &raquo;" singleClickButton="true" />
- </div>
- <input name="__RequestVerificationToken" type="hidden" value="jACz38O1R6iFai86z3tyKle12MU5aARUC1DLW0UwoOjfvfJFxcaOAqhun59XqlsVOB4ZAKkfSBVlUcEBLvSBHNQfPZTCgzkcoB/u74gVZfH9mRCx2+NsX6UaTpjCKA0iyJwcLNmcleNlY19irlvHwQ==" /></form> </div>
- </div>*@
+ </div>
</section>
</div>
</div>
@@ -51,6 +51,7 @@
<h4>Your access key is: </h4>
<p id="accessKey">@Model.ApiKey</p>
<form Id="generateKeyForm" action="@Url.Action(MVC.Users.GenerateApiKey())" method="post">
+ @Html.AntiForgeryToken()
<input id="generateKeyButton" type="submit" value="Generate New Key" singleClickButton="true" />
</form>
</div>

0 comments on commit 12e7308

Please sign in to comment.