security: use more antiforgery tokens

2025-07-25 12:32:44 +10:00
parent fd43d85778
commit 7deead494b
222 changed files with 12919 additions and 11728 deletions
@@ -8,9 +8,8 @@ namespace Disco.Web.Areas.API.Controllers
 {
    public partial class EnrolmentController : AuthorizedDatabaseController
    {
-        [HttpPost]
-        [ValidateAntiForgeryToken]
        [DiscoAuthorize(Claims.Device.Actions.EnrolDevices)]
+        [HttpPost, ValidateAntiForgeryToken]
        public virtual ActionResult ResolveSessionPending(string sessionId, bool approve, int? deviceProfileId, int? deviceBatchId, string reason)
        {
            if (approve && deviceProfileId == null)
@@ -18,11 +17,11 @@ namespace Disco.Web.Areas.API.Controllers

            WindowsDeviceEnrolment.ResolvePendingEnrolment(sessionId, approve, CurrentUser.UserId, deviceProfileId, deviceBatchId, reason);

-            return new HttpStatusCodeResult(200);
+            return Ok();
        }

-        [HttpPost]
        [DiscoAuthorize(Claims.Config.Enrolment.Configure)]
+        [HttpPost, ValidateAntiForgeryToken]
        public virtual ActionResult PendingTimeoutMinutes(int PendingTimeoutMinutes)
        {
            try
@@ -31,7 +30,7 @@ namespace Disco.Web.Areas.API.Controllers
                {
                    Database.DiscoConfiguration.Bootstrapper.PendingTimeout = TimeSpan.FromMinutes(PendingTimeoutMinutes);
                    Database.SaveChanges();
-                    return Json("OK", JsonRequestBehavior.AllowGet);
+                    return Ok();
                }
                else
                {
@@ -40,7 +39,53 @@ namespace Disco.Web.Areas.API.Controllers
            }
            catch (Exception ex)
            {
-                return Json($"Error: {ex.Message}");
+                return BadRequest(ex.Message);
+            }
+        }
+
+        [DiscoAuthorize(Claims.Config.Enrolment.Configure)]
+        [HttpPost, ValidateAntiForgeryToken]
+        public virtual ActionResult MacSshUsername(string MacSshUsername)
+        {
+            try
+            {
+                if (!string.IsNullOrWhiteSpace(MacSshUsername))
+                {
+                    Database.DiscoConfiguration.Bootstrapper.MacSshUsername = MacSshUsername;
+                    Database.SaveChanges();
+                    return Ok();
+                }
+                else
+                {
+                    throw new Exception("The Username cannot be null or empty");
+                }
+            }
+            catch (Exception ex)
+            {
+                return BadRequest(ex.Message);
+            }
+        }
+
+        [DiscoAuthorize(Claims.Config.Enrolment.Configure)]
+        [HttpPost, ValidateAntiForgeryToken]
+        public virtual ActionResult MacSshPassword(string MacSshPassword)
+        {
+            try
+            {
+                if (!string.IsNullOrWhiteSpace(MacSshPassword))
+                {
+                    Database.DiscoConfiguration.Bootstrapper.MacSshPassword = MacSshPassword;
+                    Database.SaveChanges();
+                    return Ok();
+                }
+                else
+                {
+                    throw new Exception("The Password cannot be null or empty");
+                }
+            }
+            catch (Exception ex)
+            {
+                return BadRequest(ex.Message);
            }
        }
    }