jessikitty/Disco
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: use more antiforgery tokens

Browse Source
This commit is contained in:
Gary Sharp
2025-07-25 12:32:44 +10:00
parent fd43d85778
commit 7deead494b
222 changed files with 12919 additions and 11728 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Disco.Web/Views/User/UserParts/_Comments.cshtml
+3 -4
View File
@@ -6,7 +6,6 @@
var canRemoveOwnComments = Authorization.Has(Claims.User.Actions.RemoveOwnComments);
}
<div id="Comments" class="@(canAddComments ? "canAddComments" : "cannotAddComments") @(canRemoveAnyComments ? "canRemoveAnyComments" : "cannotRemoveAnyComments") @(canRemoveOwnComments ? "canRemoveOwnComments" : "cannotRemoveOwnComments")" data-id="@Model.User.UserId" data-userid="@CurrentUser.UserId" data-addurl="@Url.Action(MVC.API.User.CommentAdd(Model.User.UserId))" data-removeurl="@Url.Action(MVC.API.User.CommentRemove())" data-geturl="@Url.Action(MVC.API.User.Comment())">
@Html.AntiForgeryToken()
@if (canAddComments)
{
<div class="commentInput">
@@ -48,7 +47,7 @@
}
async function onCommentAddedAsync(id) {
const formData = new FormData();
formData.append('__RequestVerificationToken', $comments.find('input[name="__RequestVerificationToken"]').val());
formData.append('__RequestVerificationToken', document.body.dataset.antiforgery);
formData.append('id', id);
const response = await fetch($comments.attr('data-geturl'), {
@@ -136,7 +135,7 @@
$commentInput.prop('disabled', true);
const formData = new FormData();
formData.append('__RequestVerificationToken', $comments.find('input[name="__RequestVerificationToken"]').val());
formData.append('__RequestVerificationToken', document.body.dataset.antiforgery);
formData.append('comment', comment);
const response = await fetch($comments.attr('data-addurl'), {
@@ -194,7 +193,7 @@
}
async function removeCommentAsync(commentId) {
const formData = new FormData();
formData.append('__RequestVerificationToken', $comments.find('input[name="__RequestVerificationToken"]').val());
formData.append('__RequestVerificationToken', document.body.dataset.antiforgery);
formData.append('id', commentId);
const response = await fetch($comments.attr('data-removeurl'), {