Skip to content

Commit

Permalink
Require anti-forgery token on manage owners page (#4455)
Browse files Browse the repository at this point in the history
  • Loading branch information
Scott Bommarito committed Jul 21, 2017
1 parent ed45532 commit 94d86ae
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 13 deletions.
2 changes: 2 additions & 0 deletions src/NuGetGallery/Controllers/JsonApiController.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,7 @@ public virtual ActionResult GetAddPackageOwnerConfirmation(string id, string use
}

[HttpPost]
[ValidateAntiForgeryToken]
public async Task<JsonResult> AddPackageOwner(string id, string username, string message)
{
ManagePackageOwnerModel model;
Expand Down Expand Up @@ -118,6 +119,7 @@ public async Task<JsonResult> AddPackageOwner(string id, string username, string
}

[HttpPost]
[ValidateAntiForgeryToken]
public async Task<JsonResult> RemovePackageOwner(string id, string username)
{
ManagePackageOwnerModel model;
Expand Down
28 changes: 15 additions & 13 deletions src/NuGetGallery/Views/Packages/ManagePackageOwners.cshtml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@
ViewBag.Tab = "Packages";
}

<form id="AntiForgeryForm">
@Html.AntiForgeryToken()
</form>

<h1 class="page-heading">Manage Owners for Package "@Model.Title.Abbreviate(50)"</h1>

Expand All @@ -27,7 +30,6 @@
</p>
@using (Html.BeginForm())
{
@Html.AntiForgeryToken()
<fieldset class="form">
<legend>Add Owner</legend>
<div id="input-form">
Expand Down Expand Up @@ -64,6 +66,12 @@
alert('An unexpected error occurred! "' + errorThrown + '"');
};
var addAntiForgeryToken = function (data) {
var $field = $("#AntiForgeryForm input[name=__RequestVerificationToken]");
data["__RequestVerificationToken"] = $field.val();
return data;
}
var viewModel = {
package: { id: '@Model.Id' },
owners: ko.observableArray([]),
Expand All @@ -78,10 +86,6 @@
return true;
},
headers: function () {
return { '__RequestVerificationToken': $('input[name=""__RequestVerificationToken""]').val() };
},
resetAddOwnerConfirmation: function () {
viewModel.confirmation('');
viewModel.policyMessage('');
Expand Down Expand Up @@ -109,8 +113,7 @@
cache: false,
dataType: 'json',
type: 'GET',
headers: viewModel.headers(),
contentType: 'application/json; charset=utf-8',
dataType: 'json',
success: function (data) {
if (data.success) {
viewModel.confirmation(data.confirmation);
Expand Down Expand Up @@ -141,9 +144,8 @@
cache: false,
dataType: 'json',
type: 'POST',
headers: viewModel.headers(),
data: window.JSON.stringify(ownerInputModel),
contentType: 'application/json; charset=utf-8',
dataType: 'json',
data: addAntiForgeryToken(ownerInputModel),
success: function (data) {
if (data.success) {
var newOwner = new Owner(data.name, /* pending */ true, data.current);
Expand Down Expand Up @@ -179,8 +181,8 @@
cache: false,
dataType: 'json',
type: 'POST',
headers: viewModel.headers(),
contentType: 'application/json; charset=utf-8',
dataType: 'json',
data: addAntiForgeryToken({}),
success: function (data) {
if (data.success) {
if (item.current) {
Expand Down Expand Up @@ -226,7 +228,7 @@
cache: false,
dataType: 'json',
type: 'GET',
contentType: 'application/json; charset=utf-8',
dataType: 'json',
success: function (data) {
viewModel.owners($.map(data, function (item) { return new Owner(item.name, item.pending, item.current); }));
}
Expand Down

0 comments on commit 94d86ae

Please sign in to comment.