security: use more antiforgery tokens
This commit is contained in:
Gary Sharp
@@ -7,15 +7,17 @@
|
||||
{
|
||||
<div class="form" style="width: 450px; padding: 100px 0;">
|
||||
<h2>No authorization roles are configured</h2>
|
||||
</div>
|
||||
</div>
|
||||
}
|
||||
else
|
||||
{
|
||||
<table class="tableData">
|
||||
<tr>
|
||||
<th>Name
|
||||
<th>
|
||||
Name
|
||||
</th>
|
||||
<th>Linked Groups/Users
|
||||
<th>
|
||||
Linked Groups/Users
|
||||
</th>
|
||||
</tr>
|
||||
@foreach (var item in Model.Tokens)
|
||||
@@ -39,58 +41,75 @@ else
|
||||
</table>
|
||||
}
|
||||
<!-- #region Administrator Subjects -->
|
||||
<div id="Config_AuthRoles_Subjects_Update_Dialog" class="dialog" title="Disco ICT Administrators">
|
||||
<div id="Config_AuthRoles_Subjects_Update_Dialog_ListContainer">
|
||||
<span id="Config_AuthRoles_Subjects_Update_Dialog_None" class="smallMessage">None Associated</span>
|
||||
<ul id="Config_AuthRoles_Subjects_Update_Dialog_List" class="none">
|
||||
@foreach (var sg in Model.AdministratorSubjects)
|
||||
{
|
||||
var displayName = sg.Id == sg.Name ? sg.Id : string.Format("{0} [{1}]", sg.Name, sg.Id);
|
||||
<li class="@(sg.IsGroup ? "group" : "user")" data-subjectid="@sg.Id">@if (sg.IsGroup)
|
||||
{
|
||||
<i class="fa fa-users fa-lg"></i>@displayName
|
||||
}
|
||||
else
|
||||
{
|
||||
<i class="fa fa-user fa-lg"></i>@displayName
|
||||
}<i class="fa fa-times-circle remove"></i></li>
|
||||
}
|
||||
</ul>
|
||||
</div>
|
||||
<div id="Config_AuthRoles_Subjects_Update_Dialog" class="dialog" title="Disco ICT Administrators" data-searchsubjectsurl="@(Url.Action(MVC.API.System.SearchSubjects()))" data-subjecturl="@Url.Action(MVC.API.System.Subject())">
|
||||
@using (Html.BeginForm(MVC.API.AuthorizationRole.UpdateAdministratorSubjects(null, true)))
|
||||
{
|
||||
@Html.AntiForgeryToken()
|
||||
<div id="Config_AuthRoles_Subjects_Update_Dialog_ListContainer">
|
||||
<span id="Config_AuthRoles_Subjects_Update_Dialog_None" class="smallMessage">None Associated</span>
|
||||
<ul id="Config_AuthRoles_Subjects_Update_Dialog_List" class="none">
|
||||
@foreach (var sg in Model.AdministratorSubjects)
|
||||
{
|
||||
var displayName = sg.Id == sg.Name ? sg.Id : string.Format("{0} [{1}]", sg.Name, sg.Id);
|
||||
<li class="@(sg.IsGroup ? "group" : "user")" data-subjectid="@sg.Id">
|
||||
<input type="hidden" name="subjects" value="@sg.Id" />
|
||||
@if (sg.IsGroup)
|
||||
{
|
||||
<i class="fa fa-users fa-lg"></i>@displayName
|
||||
}
|
||||
else
|
||||
{
|
||||
<i class="fa fa-user fa-lg"></i>@displayName
|
||||
}<i class="fa fa-times-circle remove"></i>
|
||||
</li>
|
||||
}
|
||||
</ul>
|
||||
</div>
|
||||
}
|
||||
<div id="Config_AuthRoles_Subjects_Update_Dialog_AddContainer">
|
||||
<input type="text" id="Config_AuthRoles_Subjects_Update_Dialog_TextAdd" />
|
||||
<a id="Config_AuthRoles_Subjects_Update_Dialog_Add" href="#" class="button small">Add</a>
|
||||
<button id="Config_AuthRoles_Subjects_Update_Dialog_Add" type="button" class="button small">Add</button>
|
||||
</div>
|
||||
<form id="Config_AuthRoles_Subjects_Update_Dialog_Form" action="@(Url.Action(MVC.API.AuthorizationRole.UpdateAdministratorSubjects(null, true)))" method="post"></form>
|
||||
</div>
|
||||
<script>
|
||||
(function () {
|
||||
var dialog, textAdd, list, noSubjects, form;
|
||||
let dialog = null;
|
||||
let originalList = null;
|
||||
let list = null;
|
||||
let textAdd = null;
|
||||
let noSubjects = null;
|
||||
|
||||
function showDialog() {
|
||||
if (!dialog) {
|
||||
list = $('#Config_AuthRoles_Subjects_Update_Dialog_List');
|
||||
originalList = list.html();
|
||||
noSubjects = $('#Config_AuthRoles_Subjects_Update_Dialog_None');
|
||||
textAdd = $('#Config_AuthRoles_Subjects_Update_Dialog_TextAdd');
|
||||
|
||||
dialog = $('#Config_AuthRoles_Subjects_Update_Dialog').dialog({
|
||||
resizable: false,
|
||||
modal: true,
|
||||
autoOpen: false,
|
||||
width: 350,
|
||||
height: 420,
|
||||
buttons: {
|
||||
"Save Changes": saveChanges,
|
||||
Cancel: cancel
|
||||
Cancel: function () {
|
||||
$(this).dialog("close");
|
||||
}
|
||||
},
|
||||
close: function () {
|
||||
list.html(originalList);
|
||||
}
|
||||
});
|
||||
|
||||
dialog.on('click', '.remove', remove);
|
||||
|
||||
list = $('#Config_AuthRoles_Subjects_Update_Dialog_List');
|
||||
noSubjects = $('#Config_AuthRoles_Subjects_Update_Dialog_None');
|
||||
|
||||
textAdd = $('#Config_AuthRoles_Subjects_Update_Dialog_TextAdd');
|
||||
dialog.on('click', '.remove', function () {
|
||||
$(this).closest('li').remove();
|
||||
updateNoSubjects();
|
||||
});
|
||||
|
||||
textAdd.watermark('Search Subjects')
|
||||
.autocomplete({
|
||||
source: '@(Url.Action(MVC.API.System.SearchSubjects()))',
|
||||
source: dialog.attr('data-searchsubjectsurl'),
|
||||
minLength: 2,
|
||||
focus: function (e, ui) {
|
||||
textAdd.val(ui.item.Id);
|
||||
@@ -98,6 +117,7 @@ else
|
||||
},
|
||||
select: function (e, ui) {
|
||||
textAdd.val(ui.item.Id).blur();
|
||||
$('#Config_AuthRoles_Subjects_Update_Dialog_Add').trigger('click');
|
||||
return false;
|
||||
}
|
||||
}).data('ui-autocomplete')._renderItem = function (ul, item) {
|
||||
@@ -107,7 +127,7 @@ else
|
||||
.appendTo(ul);
|
||||
};
|
||||
|
||||
$('#Config_AuthRoles_Subjects_Update_Dialog_Add').click(add);
|
||||
$('#Config_AuthRoles_Subjects_Update_Dialog_Add').on('click', add);
|
||||
}
|
||||
|
||||
dialog.dialog('open');
|
||||
@@ -116,79 +136,61 @@ else
|
||||
return false;
|
||||
}
|
||||
|
||||
function cancel() {
|
||||
$(this).dialog("close");
|
||||
async function add() {
|
||||
const id = textAdd.val();
|
||||
|
||||
list.find('li').each(function () {
|
||||
$this = $(this);
|
||||
if ($this.is('[data-subjectstatus="new"]')) {
|
||||
$this.remove();
|
||||
} else {
|
||||
if ($this.is('[data-subjectstatus="removed"]')) {
|
||||
$this.show();
|
||||
try {
|
||||
const body = new FormData();
|
||||
body.append('__RequestVerificationToken', document.body.dataset.antiforgery);
|
||||
body.append('id', id);
|
||||
const response = await fetch(dialog.attr('data-subjecturl'), {
|
||||
method: 'POST',
|
||||
body: body
|
||||
});
|
||||
|
||||
if (response.ok) {
|
||||
const data = await response.json();
|
||||
|
||||
if (!data)
|
||||
throw 'Unknown user id';
|
||||
|
||||
if (!data.IsGroup && !data.IsUserAccount)
|
||||
throw data.Name + ' [' + data.Id + '] is a ' + data.Type + '. Only users and groups can be added.';
|
||||
|
||||
if (list.find('li[data-subjectid="' + data.Id.replace('\\', '\\\\') + '"]').length != 0) {
|
||||
throw 'That subject has already been added';
|
||||
}
|
||||
|
||||
const liIcon = $('<i>').addClass('fa fa-lg');
|
||||
if (data.Type === 'user')
|
||||
liIcon.addClass('fa-user');
|
||||
else
|
||||
liIcon.addClass('fa-users');
|
||||
|
||||
const li = $('<li>')
|
||||
.append($('<input>').attr({ type: 'hidden', name: 'subjects', value: data.Id }))
|
||||
.append(liIcon)
|
||||
.append($('<span>').text(data.Id == data.Name ? data.Id : data.Name + ' [' + data.Id + ']'))
|
||||
.append($('<i>').addClass('fa fa-times-circle remove'))
|
||||
.addClass(data.Type)
|
||||
.attr('data-subjectid', data.Id)
|
||||
.attr('data-subjectstatus', 'new');
|
||||
|
||||
list.append(li);
|
||||
textAdd.val('');
|
||||
|
||||
updateNoSubjects();
|
||||
} else {
|
||||
alert('Error: ' + response.statusText);
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
function remove() {
|
||||
$this = $(this).closest('li');
|
||||
|
||||
if ($this.is('[data-subjectstatus="new"]')) {
|
||||
$this.remove();
|
||||
} else {
|
||||
$this.attr('data-subjectstatus', 'removed').hide();
|
||||
} catch (e) {
|
||||
alert('Error: ' + e);
|
||||
}
|
||||
|
||||
updateNoSubjects();
|
||||
return false;
|
||||
}
|
||||
|
||||
function add() {
|
||||
var id = textAdd.val();
|
||||
|
||||
$.ajax({
|
||||
url: '@Url.Action(MVC.API.System.Subject())',
|
||||
method: 'post',
|
||||
data: { Id: id }
|
||||
}).done(function (response) {
|
||||
if (response) {
|
||||
if (response.IsGroup || response.IsUserAccount) {
|
||||
if (list.find('li[data-subjectid="' + response.Id.replace('\\', '\\\\') + '"]').length == 0) {
|
||||
|
||||
var liIcon = $('<i>').addClass('fa fa-lg');
|
||||
if (response.Type === 'user')
|
||||
liIcon.addClass('fa-user');
|
||||
else
|
||||
liIcon.addClass('fa-users');
|
||||
|
||||
var li = $('<li>')
|
||||
.append(liIcon)
|
||||
.append($('<span>').text(response.Id == response.Name ? response.Id : response.Name + ' [' + response.Id + ']'))
|
||||
.append($('<i>').addClass('fa fa-times-circle remove'))
|
||||
.addClass(response.Type)
|
||||
.attr('data-subjectid', response.Id)
|
||||
.attr('data-subjectstatus', 'new');
|
||||
|
||||
list.append(li);
|
||||
|
||||
updateNoSubjects();
|
||||
} else {
|
||||
alert('That subject has already been added');
|
||||
}
|
||||
}
|
||||
else {
|
||||
alert(response.Name + ' ['+response.Id+'] is a ' + response.Type + '. Only users and groups can be added.');
|
||||
}
|
||||
} else {
|
||||
alert('Unknown Id');
|
||||
}
|
||||
}).fail(function (jqXHR, textStatus, errorThrown) {
|
||||
alert('Error: ' + errorThrown);
|
||||
});
|
||||
return false;
|
||||
}
|
||||
|
||||
function updateNoSubjects() {
|
||||
if (list.find('li:visible').length > 0)
|
||||
noSubjects.hide();
|
||||
@@ -197,22 +199,9 @@ else
|
||||
}
|
||||
|
||||
function saveChanges() {
|
||||
var form = $('#Config_AuthRoles_Subjects_Update_Dialog_Form').empty();
|
||||
|
||||
list.find('li[data-subjectstatus!="removed"]').each(function () {
|
||||
var subjectId = $(this).attr('data-subjectid');
|
||||
|
||||
form.append($('<input>').attr({
|
||||
'name': 'Subjects',
|
||||
'type': 'hidden'
|
||||
}).val(subjectId));
|
||||
|
||||
}).get();
|
||||
|
||||
form.submit();
|
||||
|
||||
dialog.dialog("disable");
|
||||
dialog.dialog("option", "buttons", null);
|
||||
dialog
|
||||
.dialog("option", "buttons", null)
|
||||
.find('form').trigger('submit');
|
||||
}
|
||||
|
||||
$(function () {
|
||||
|
||||
Reference in New Issue
Block a user