@@ -314,6 +314,7 @@ namespace Teknik.Areas.Users.Controllers | |||
} | |||
[HttpPost] | |||
[ValidateAntiForgeryToken] | |||
public ActionResult Edit(string curPass, string newPass, string newPassConfirm, string pgpPublicKey, string recoveryEmail, bool allowTrustedDevices, bool twoFactorEnabled, string website, string quote, string about, string blogTitle, string blogDesc, bool saveKey, bool serverSideEncrypt) | |||
{ | |||
if (ModelState.IsValid) | |||
@@ -435,6 +436,7 @@ namespace Teknik.Areas.Users.Controllers | |||
} | |||
[HttpPost] | |||
[ValidateAntiForgeryToken] | |||
public ActionResult Delete() | |||
{ | |||
if (ModelState.IsValid) | |||
@@ -473,6 +475,7 @@ namespace Teknik.Areas.Users.Controllers | |||
} | |||
[HttpPost] | |||
[ValidateAntiForgeryToken] | |||
public ActionResult ResendVerifyRecoveryEmail() | |||
{ | |||
if (ModelState.IsValid) | |||
@@ -517,6 +520,7 @@ namespace Teknik.Areas.Users.Controllers | |||
[HttpPost] | |||
[AllowAnonymous] | |||
[ValidateAntiForgeryToken] | |||
public ActionResult SendResetPasswordVerification(string username) | |||
{ | |||
if (ModelState.IsValid) | |||
@@ -573,6 +577,7 @@ namespace Teknik.Areas.Users.Controllers | |||
} | |||
[HttpPost] | |||
[ValidateAntiForgeryToken] | |||
public ActionResult SetUserPassword(string password, string confirmPassword) | |||
{ | |||
if (ModelState.IsValid) | |||
@@ -626,6 +631,7 @@ namespace Teknik.Areas.Users.Controllers | |||
[HttpPost] | |||
[AllowAnonymous] | |||
[ValidateAntiForgeryToken] | |||
public ActionResult ConfirmAuthenticatorCode(string code, string returnUrl, bool rememberMe, bool rememberDevice, string deviceName) | |||
{ | |||
User user = (User)Session["AuthenticatedUser"]; | |||
@@ -673,6 +679,7 @@ namespace Teknik.Areas.Users.Controllers | |||
} | |||
[HttpPost] | |||
[ValidateAntiForgeryToken] | |||
public ActionResult VerifyAuthenticatorCode(string code) | |||
{ | |||
User user = UserHelper.GetUser(db, User.Identity.Name); | |||
@@ -709,6 +716,7 @@ namespace Teknik.Areas.Users.Controllers | |||
} | |||
[HttpPost] | |||
[ValidateAntiForgeryToken] | |||
public ActionResult ClearTrustedDevices() | |||
{ | |||
try |
@@ -10,12 +10,12 @@ | |||
$.ajax({ | |||
type: "POST", | |||
url: confirmAuthCodeURL, | |||
data: { | |||
data: AddAntiForgeryToken({ | |||
code: setCode, | |||
returnUrl: returnUrl, | |||
rememberMe: rememberMe, | |||
rememberDevice: rememberDevice | |||
}, | |||
}), | |||
xhrFields: { | |||
withCredentials: true | |||
}, |
@@ -8,7 +8,7 @@ | |||
$.ajax({ | |||
type: "POST", | |||
url: resendVerifyURL, | |||
data: {}, | |||
data: AddAntiForgeryToken({}), | |||
success: function (html) { | |||
if (html.result) { | |||
window.location.reload(); | |||
@@ -43,9 +43,9 @@ | |||
$.ajax({ | |||
type: "POST", | |||
url: confirmAuthSetupURL, | |||
data: { | |||
data: AddAntiForgeryToken({ | |||
code: setCode | |||
}, | |||
}), | |||
success: function (html) { | |||
if (html.result) { | |||
$("#authSetupStatus").css('display', 'inline', 'important'); | |||
@@ -70,7 +70,7 @@ | |||
$.ajax({ | |||
type: "POST", | |||
url: clearTrustedDevicesURL, | |||
data: {}, | |||
data: AddAntiForgeryToken({}), | |||
success: function (html) { | |||
if (html.result) { | |||
$('#ClearDevices').html('Clear Trusted Devices (0)'); | |||
@@ -98,7 +98,7 @@ | |||
$.ajax({ | |||
type: "POST", | |||
url: deleteUserURL, | |||
data: {}, | |||
data: AddAntiForgeryToken({}), | |||
success: function (html) { | |||
if (html.result) { | |||
window.location.replace(homeUrl); | |||
@@ -141,7 +141,7 @@ | |||
$.ajax({ | |||
type: "POST", | |||
url: editUserURL, | |||
data: { | |||
data: AddAntiForgeryToken({ | |||
curPass: current_password, | |||
newPass: password, | |||
newPassConfirm: password_confirm, | |||
@@ -156,7 +156,7 @@ | |||
blogDesc: blog_desc, | |||
saveKey: upload_saveKey, | |||
serverSideEncrypt: upload_serverSideEncrypt | |||
}, | |||
}), | |||
success: function (html) { | |||
$.unblockUI(); | |||
if (html.result) { | |||
@@ -190,9 +190,9 @@ | |||
$.ajax({ | |||
type: "POST", | |||
url: form.attr('action'), | |||
data: { | |||
data: AddAntiForgeryToken({ | |||
username: username | |||
}, | |||
}), | |||
success: function (html) { | |||
if (html.result) { | |||
$("#top_msg").css('display', 'inline', 'important'); | |||
@@ -217,10 +217,10 @@ | |||
$.ajax({ | |||
type: "POST", | |||
url: form.attr('action'), | |||
data: { | |||
data: AddAntiForgeryToken({ | |||
password: password, | |||
confirmPassword: confirmPassword | |||
}, | |||
}), | |||
success: function (html) { | |||
if (html.result) { | |||
$("#top_msg").css('display', 'inline', 'important'); |
@@ -86,6 +86,43 @@ $(function () { | |||
if (lastTab) { | |||
$('[href="' + lastTab + '"]').tab('show'); | |||
} | |||
$.appendAntiForgeryToken = function (data, token) { | |||
// Converts data if not already a string. | |||
if (data && typeof data !== "string") { | |||
data = $.param(data); | |||
} | |||
// Gets token from current window by default. | |||
token = token ? token : $.getAntiForgeryToken(); // $.getAntiForgeryToken(window). | |||
data = data ? data + "&" : ""; | |||
// If token exists, appends {token.name}={token.value} to data. | |||
return token ? data + encodeURIComponent(token.name) + "=" + encodeURIComponent(token.value) : data; | |||
}; | |||
$.getAntiForgeryToken = function (tokenWindow, appPath) { | |||
// HtmlHelper.AntiForgeryToken() must be invoked to print the token. | |||
tokenWindow = tokenWindow && typeof tokenWindow === typeof window ? tokenWindow : window; | |||
appPath = appPath && typeof appPath === "string" ? "_" + appPath.toString() : ""; | |||
// The name attribute is either __RequestVerificationToken, | |||
// or __RequestVerificationToken_{appPath}. | |||
var tokenName = "__RequestVerificationToken" + appPath; | |||
// Finds the <input type="hidden" name={tokenName} value="..." /> from the specified window. | |||
// var inputElements = tokenWindow.$("input[type='hidden'][name=' + tokenName + "']"); | |||
var inputElements = tokenWindow.document.getElementsByTagName("input"); | |||
for (var i = 0; i < inputElements.length; i++) { | |||
var inputElement = inputElements[i]; | |||
if (inputElement.type === "hidden" && inputElement.name === tokenName) { | |||
return { | |||
name: tokenName, | |||
value: inputElement.value | |||
}; | |||
} | |||
} | |||
}; | |||
}); | |||
function removeAmp(code) { | |||
@@ -132,6 +169,11 @@ function getAnchor() { | |||
return (urlParts.length > 1) ? urlParts[1] : null; | |||
} | |||
AddAntiForgeryToken = function (data) { | |||
data.__RequestVerificationToken = $('#__AjaxAntiForgeryForm input[name=__RequestVerificationToken]').val(); | |||
return data; | |||
}; | |||
/***************************** TIMER Page Load *******************************/ | |||
var loopTime; | |||
var startTime = new Date(); |
@@ -63,6 +63,10 @@ | |||
</div> | |||
</noscript> | |||
<!-- Anti-Forgery Token --> | |||
<!-- used for ajax in AddAntiForgeryToken() --> | |||
<form id="__AjaxAntiForgeryForm" action="#" method="post">@Html.AntiForgeryToken()</form> | |||
@RenderBody() | |||
</div> | |||
@Html.Partial("_Footer") |