Adding missing Anti-Xsrf token validations in some Post actions

1. Also adding this validation on a AJAX only used action.
This commit is contained in:
Praburaj 2014-08-08 12:46:36 -07:00
parent 907a3c6cf3
commit ca515e3e87
4 changed files with 57 additions and 26 deletions

View File

@ -2,6 +2,8 @@
using MusicStore.Models; using MusicStore.Models;
using MusicStore.ViewModels; using MusicStore.ViewModels;
using System.Linq; using System.Linq;
using System.Threading.Tasks;
using Microsoft.Framework.DependencyInjection;
namespace MusicStore.Controllers namespace MusicStore.Controllers
{ {
@ -19,7 +21,7 @@ namespace MusicStore.Controllers
public IActionResult Index() public IActionResult Index()
{ {
var cart = ShoppingCart.GetCart(db, this.Context); var cart = ShoppingCart.GetCart(db, Context);
// Set up our ViewModel // Set up our ViewModel
var viewModel = new ShoppingCartViewModel var viewModel = new ShoppingCartViewModel
@ -42,7 +44,7 @@ namespace MusicStore.Controllers
.Single(album => album.AlbumId == id); .Single(album => album.AlbumId == id);
// Add it to the shopping cart // Add it to the shopping cart
var cart = ShoppingCart.GetCart(db, this.Context); var cart = ShoppingCart.GetCart(db, Context);
cart.AddToCart(addedAlbum); cart.AddToCart(addedAlbum);
@ -54,12 +56,30 @@ namespace MusicStore.Controllers
// //
// AJAX: /ShoppingCart/RemoveFromCart/5 // AJAX: /ShoppingCart/RemoveFromCart/5
[HttpPost] [HttpPost]
public IActionResult RemoveFromCart(int id) public async Task<IActionResult> RemoveFromCart(int id)
{ {
var formParameters = await Context.Request.GetFormAsync();
var requestVerification = formParameters["RequestVerificationToken"];
string cookieToken = null;
string formToken = null;
if (!string.IsNullOrWhiteSpace(requestVerification))
{
var tokens = requestVerification.Split(':');
if (tokens != null && tokens.Length == 2)
{
cookieToken = tokens[0];
formToken = tokens[1];
}
}
var antiForgery = Context.RequestServices.GetService<AntiForgery>();
antiForgery.Validate(Context, new AntiForgeryTokenSet(formToken, cookieToken));
// Retrieve the current user's shopping cart // Retrieve the current user's shopping cart
var cart = ShoppingCart.GetCart(db, this.Context); var cart = ShoppingCart.GetCart(db, Context);
// Get the name of the album to display confirmation // Get the name of the album to display confirmation
// TODO [EF] Turn into one query once query of related data is enabled // TODO [EF] Turn into one query once query of related data is enabled

View File

@ -61,6 +61,7 @@ namespace MusicStore.Controllers
// POST: /StoreManager/Create // POST: /StoreManager/Create
[HttpPost] [HttpPost]
[ValidateAntiForgeryToken]
public IActionResult Create(Album album) public IActionResult Create(Album album)
{ {
if (ModelState.IsValid) if (ModelState.IsValid)
@ -94,6 +95,7 @@ namespace MusicStore.Controllers
// //
// POST: /StoreManager/Edit/5 // POST: /StoreManager/Edit/5
[HttpPost] [HttpPost]
[ValidateAntiForgeryToken]
public IActionResult Edit(Album album) public IActionResult Edit(Album album)
{ {
if (ModelState.IsValid) if (ModelState.IsValid)

View File

@ -1,8 +1,7 @@
using Microsoft.AspNet.Http; using System;
using Microsoft.Data.Entity;
using System;
using System.Collections.Generic; using System.Collections.Generic;
using System.Linq; using System.Linq;
using Microsoft.AspNet.Http;
namespace MusicStore.Models namespace MusicStore.Models
{ {

View File

@ -1,8 +1,18 @@
@model MusicStore.ViewModels.ShoppingCartViewModel @model MusicStore.ViewModels.ShoppingCartViewModel
@inject AntiForgery Xsrf
@{ @{
ViewBag.Title = "Shopping Cart"; ViewBag.Title = "Shopping Cart";
} }
@functions
{
public string GetAntiXsrfToken()
{
var tokens = Xsrf.GetTokens(Context, null);
return tokens.CookieToken + ":" + tokens.FormToken;
}
}
@section Scripts { @section Scripts {
<script type="text/javascript"> <script type="text/javascript">
$(function () { $(function () {
@ -14,7 +24,7 @@
if (recordToDelete != '') { if (recordToDelete != '') {
// Perform the ajax post // Perform the ajax post
$.post(PostToUrl, { "id": recordToDelete }, $.post(PostToUrl, { "id": recordToDelete, "RequestVerificationToken": '@GetAntiXsrfToken()' },
function (data) { function (data) {
// Successful requests get here // Successful requests get here
// Update the page elements // Update the page elements
@ -58,24 +68,24 @@
</tr> </tr>
@foreach (var item in Model.CartItems) @foreach (var item in Model.CartItems)
{ {
<tr id="row-@item.CartItemId"> <tr id="row-@item.CartItemId">
<td> <td>
@Html.ActionLink(item.Album.Title, @Html.ActionLink(item.Album.Title,
"Details", "Store", new { id = item.AlbumId }, null) "Details", "Store", new { id = item.AlbumId }, null)
</td> </td>
<td> <td>
@item.Album.Price @item.Album.Price
</td> </td>
<td id="item-count-@item.CartItemId"> <td id="item-count-@item.CartItemId">
@item.Count @item.Count
</td> </td>
<td> <td>
<a href="#" class="RemoveLink" data-id="@item.CartItemId" <a href="#" class="RemoveLink" data-id="@item.CartItemId"
data-url='@Url.Content("~/ShoppingCart/RemoveFromCart")'> data-url='@Url.Content("~/ShoppingCart/RemoveFromCart")'>
Remove from cart Remove from cart
</a> </a>
</td> </td>
</tr> </tr>
} }
<tr> <tr>
<td> <td>