Order IgnoreAntiforgeryTokenAttribute and add test

2016-11-30 11:08:00 -08:00 · 2016-11-30 11:08:00 -08:00 · b2340d327e
parent 1b8d501a9e
commit b2340d327e
3 changed files with 45 additions and 2 deletions
--- a/src/Microsoft.AspNetCore.Mvc.ViewFeatures/IgnoreAntiforgeryTokenAttribute.cs
+++ b/src/Microsoft.AspNetCore.Mvc.ViewFeatures/IgnoreAntiforgeryTokenAttribute.cs
@ -13,7 +13,22 @@ namespace Microsoft.AspNetCore.Mvc
    [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = false, Inherited = true)]
    public class IgnoreAntiforgeryTokenAttribute : Attribute, IAntiforgeryPolicy, IOrderedFilter
    {
-        /// <inheritdoc />
-        public int Order { get; set; }
+        /// <summary>
+        /// Gets the order value for determining the order of execution of filters. Filters execute in
+        /// ascending numeric value of the <see cref="Order"/> property.
+        /// </summary>
+        /// <remarks>
+        /// <para>
+        /// Filters are executed in an ordering determined by an ascending sort of the <see cref="Order"/> property.
+        /// </para>
+        /// <para>
+        /// The default Order for this attribute is 1000 because it must run after any filter which does authentication 
+        /// or login in order to allow them to behave as expected (ie Unauthenticated or Redirect instead of 400).
+        /// </para>
+        /// <para>
+        /// Look at <see cref="IOrderedFilter.Order"/> for more detailed info.
+        /// </para>
+        /// </remarks>
+        public int Order { get; set; } = 1000;
    }
 }
--- a/test/Microsoft.AspNetCore.Mvc.FunctionalTests/AntiforgeryAuthTests.cs
+++ b/test/Microsoft.AspNetCore.Mvc.FunctionalTests/AntiforgeryAuthTests.cs
@ -41,5 +41,15 @@ namespace Microsoft.AspNetCore.Mvc.FunctionalTests
            Assert.Equal(HttpStatusCode.Redirect, response.StatusCode);
            Assert.Equal("/Home/Login", response.Headers.Location.AbsolutePath, StringComparer.OrdinalIgnoreCase);
        }
+
+        [Fact]
+        public async Task IgnoreAntiforgeryOverridesAutoAntiforgery()
+        {
+            // Arrange & Act
+            var response = await Client.PostAsync("http://localhost/Antiforgery/Index", content: null);
+
+            // Assert
+            Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+        }
    }
 }
--- a/test/WebSites/SecurityWebSite/Controllers/AntiforgeryController.cs
+++ b/test/WebSites/SecurityWebSite/Controllers/AntiforgeryController.cs
@ -0,0 +1,18 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using Microsoft.AspNetCore.Mvc;
+
+namespace AjaxAntiForgeryValidation.Controllers
+{
+    [AutoValidateAntiforgeryToken]
+    public class AntiforgeryController : Controller
+    {
+        [HttpPost]
+        [IgnoreAntiforgeryToken]
+        public IActionResult Index()
+        {
+            return Content("Ok");
+        }
+    }
+}