Merge pull request #3847 from umbraco/temp7-267-membership-tokens

Implementing a validation token when a membership form is submitted.

src/Umbraco.Web/Controllers/UmbLoginController.cs

@@ -11,6 +11,7 @@ namespace Umbraco.Web.Controllers
     public class UmbLoginController : SurfaceController
     {
         [HttpPost]
+        [ValidateAntiForgeryToken]
         public ActionResult HandleLogin([Bind(Prefix = "loginModel")]LoginModel model)
         {
             if (ModelState.IsValid == false)

src/Umbraco.Web/Controllers/UmbLoginStatusController.cs

@@ -12,6 +12,7 @@ namespace Umbraco.Web.Controllers
     public class UmbLoginStatusController : SurfaceController
     {
         [HttpPost]
+        [ValidateAntiForgeryToken]
         public ActionResult HandleLogout([Bind(Prefix = "logoutModel")]PostRedirectModel model)
         {
             if (ModelState.IsValid == false)

src/Umbraco.Web/Controllers/UmbProfileController.cs

@@ -15,6 +15,7 @@ namespace Umbraco.Web.Controllers
     public class UmbProfileController : SurfaceController
     {
         [HttpPost]
+        [ValidateAntiForgeryToken]
         public ActionResult HandleUpdateProfile([Bind(Prefix = "profileModel")] ProfileModel model)
         {
             var provider = global::Umbraco.Core.Security.MembershipProviderExtensions.GetMembersMembershipProvider();

src/Umbraco.Web/Controllers/UmbRegisterController.cs

@@ -10,6 +10,7 @@ namespace Umbraco.Web.Controllers
     public class UmbRegisterController : SurfaceController
     {
         [HttpPost]
+        [ValidateAntiForgeryToken]
         public ActionResult HandleRegisterMember([Bind(Prefix = "registerModel")]RegisterModel model)
         {
             if (ModelState.IsValid == false)

src/Umbraco.Web/HtmlHelperRenderExtensions.cs

@@ -4,6 +4,7 @@ using System.ComponentModel;
 using System.Linq;
 using System.Text;
 using System.Web;
+using System.Web.Helpers;
 using System.Web.Mvc;
 using System.Web.Mvc.Html;
 using System.Web.Routing;
@@ -289,6 +290,7 @@ namespace Umbraco.Web
 			{
 		        _viewContext = viewContext;
 		        _method = method;
+			    _controllerName = controllerName;
                 _encryptedString = UmbracoHelper.CreateEncryptedRouteString(controllerName, controllerAction, area, additionalRouteVals);
 			}
 
@@ -296,13 +298,24 @@ namespace Umbraco.Web
 		    private readonly FormMethod _method;
 			private bool _disposed;
 			private readonly string _encryptedString;
+		    private readonly string _controllerName;
 
-			protected override void Dispose(bool disposing)
+            protected override void Dispose(bool disposing)
 			{
 				if (this._disposed)
 					return;
 				this._disposed = true;
 
+                //Detect if the call is targeting UmbRegisterController/UmbProfileController/UmbLoginStatusController/UmbLoginController and if it is we automatically output a AntiForgeryToken()
+                // We have a controllerName and area so we can match
+                if (_controllerName == "UmbRegister"
+                    || _controllerName == "UmbProfile"
+                    || _controllerName == "UmbLoginStatus"
+                    || _controllerName == "UmbLogin")
+			    {
+			        _viewContext.Writer.Write(AntiForgery.GetHtml().ToString());
+			    }
+
                 //write out the hidden surface form routes
                 _viewContext.Writer.Write("<input name='ufprt' type='hidden' value='" + _encryptedString + "' />");
 
@@ -813,8 +826,8 @@ namespace Umbraco.Web
 			}
 			htmlHelper.ViewContext.Writer.Write(tagBuilder.ToString(TagRenderMode.StartTag));
 
-			//new UmbracoForm:
-			var theForm = new UmbracoForm(htmlHelper.ViewContext, surfaceController, surfaceAction, area, method, additionalRouteVals);
+            //new UmbracoForm:
+            var theForm = new UmbracoForm(htmlHelper.ViewContext, surfaceController, surfaceAction, area, method, additionalRouteVals);
 
 			if (traditionalJavascriptEnabled)
 			{