re-adds back in the serialization overloads for the custom exception, re-adds detailed error messages, adds more documentation. Adds unit tests.

2019-07-17 21:15:18 +10:00
parent d52420183e
commit bfb69a34ef
6 changed files with 78 additions and 11 deletions
--- a/src/Umbraco.Tests/Umbraco.Tests.csproj
+++ b/src/Umbraco.Tests/Umbraco.Tests.csproj
@@ -398,6 +398,7 @@
    <Compile Include="Models\ContentExtensionsTests.cs" />
    <Compile Include="Models\UserExtensionsTests.cs" />
    <Compile Include="Web\Mvc\MergeParentContextViewDataAttributeTests.cs" />
+    <Compile Include="Web\Mvc\ValidateUmbracoFormRouteStringAttributeTests.cs" />
    <Compile Include="Web\Mvc\ViewDataDictionaryExtensionTests.cs" />
    <Compile Include="Persistence\PetaPocoExtensionsTest.cs" />
    <Compile Include="Persistence\Querying\ContentTypeSqlMappingTests.cs" />
--- a/src/Umbraco.Tests/Web/Mvc/HtmlHelperExtensionMethodsTests.cs
+++ b/src/Umbraco.Tests/Web/Mvc/HtmlHelperExtensionMethodsTests.cs
@@ -4,7 +4,8 @@ using Umbraco.Web;

 namespace Umbraco.Tests.Web.Mvc
 {
-	[TestFixture]
+
+    [TestFixture]
 	public class HtmlHelperExtensionMethodsTests
 	{
 		[SetUp]
--- a/src/Umbraco.Tests/Web/Mvc/ValidateUmbracoFormRouteStringAttributeTests.cs
+++ b/src/Umbraco.Tests/Web/Mvc/ValidateUmbracoFormRouteStringAttributeTests.cs
@@ -0,0 +1,37 @@
+using NUnit.Framework;
+using Umbraco.Web;
+using Umbraco.Web.Mvc;
+
+namespace Umbraco.Tests.Web.Mvc
+{
+    [TestFixture]
+    public class ValidateUmbracoFormRouteStringAttributeTests
+    {
+        [Test]
+        public void Validate_Route_String()
+        {
+            var attribute = new ValidateUmbracoFormRouteStringAttribute();
+
+            Assert.Throws<HttpUmbracoFormRouteStringException>(() => attribute.ValidateRouteString(null, null, null, null));
+
+            const string ControllerName = "Test";
+            const string ControllerAction = "Index";
+            const string Area = "MyArea";
+            var validUfprt = UmbracoHelper.CreateEncryptedRouteString(ControllerName, ControllerAction, Area);
+
+            var invalidUfprt = validUfprt + "z";
+            Assert.Throws<HttpUmbracoFormRouteStringException>(() => attribute.ValidateRouteString(invalidUfprt, null, null, null));
+
+            Assert.Throws<HttpUmbracoFormRouteStringException>(() => attribute.ValidateRouteString(validUfprt, ControllerName, ControllerAction, "doesntMatch"));
+            Assert.Throws<HttpUmbracoFormRouteStringException>(() => attribute.ValidateRouteString(validUfprt, ControllerName, ControllerAction, null));
+            Assert.Throws<HttpUmbracoFormRouteStringException>(() => attribute.ValidateRouteString(validUfprt, ControllerName, "doesntMatch", Area));
+            Assert.Throws<HttpUmbracoFormRouteStringException>(() => attribute.ValidateRouteString(validUfprt, ControllerName, null, Area));
+            Assert.Throws<HttpUmbracoFormRouteStringException>(() => attribute.ValidateRouteString(validUfprt, "doesntMatch", ControllerAction, Area));
+            Assert.Throws<HttpUmbracoFormRouteStringException>(() => attribute.ValidateRouteString(validUfprt, null, ControllerAction, Area));
+
+            Assert.DoesNotThrow(() => attribute.ValidateRouteString(validUfprt, ControllerName, ControllerAction, Area));
+            Assert.DoesNotThrow(() => attribute.ValidateRouteString(validUfprt, ControllerName.ToLowerInvariant(), ControllerAction.ToLowerInvariant(), Area.ToLowerInvariant()));
+        }
+
+    }
+}
--- a/src/Umbraco.Web/Mvc/HttpUmbracoFormRouteStringException.cs
+++ b/src/Umbraco.Web/Mvc/HttpUmbracoFormRouteStringException.cs
@@ -1,5 +1,6 @@
 using System;
 using System.Net;
+using System.Runtime.Serialization;
 using System.Web;

 namespace Umbraco.Web.Mvc
@@ -11,6 +12,14 @@ namespace Umbraco.Web.Mvc
    [Serializable]
    public sealed class HttpUmbracoFormRouteStringException : HttpException
    {
+        /// Initializes a new instance of the <see cref="HttpUmbracoFormRouteStringException" /> class.
+        /// </summary>
+        /// <param name="info">The <see cref="T:System.Runtime.Serialization.SerializationInfo" /> that holds the serialized object data about the exception being thrown.</param>
+        /// <param name="context">The <see cref="T:System.Runtime.Serialization.StreamingContext" /> that holds the contextual information about the source or destination.</param>
+        private HttpUmbracoFormRouteStringException(SerializationInfo info, StreamingContext context)
+            : base(info, context)
+        { }
+
        /// <summary>
        /// Initializes a new instance of the <see cref="HttpUmbracoFormRouteStringException" /> class.
        /// </summary>
@@ -19,5 +28,14 @@ namespace Umbraco.Web.Mvc
            : base(message)
        { }

+        /// <summary>
+        /// Initializes a new instance of the <see cref="HttpUmbracoFormRouteStringException" /> class.
+        /// </summary>
+        /// <param name="message">The error message displayed to the client when the exception is thrown.</param>
+        /// <param name="innerException">The <see cref="P:System.Exception.InnerException" />, if any, that threw the current exception.</param>
+        public HttpUmbracoFormRouteStringException(string message, Exception innerException)
+            : base(message, innerException)
+        { }
+
    }
 }
--- a/src/Umbraco.Web/Mvc/ValidateUmbracoFormRouteStringAttribute.cs
+++ b/src/Umbraco.Web/Mvc/ValidateUmbracoFormRouteStringAttribute.cs
@@ -1,15 +1,21 @@
 using System;
 using System.Net;
+using System.Net.Http;
 using System.Web.Mvc;
 using Umbraco.Core;

 namespace Umbraco.Web.Mvc
 {
    /// <summary>
-    /// Represents an attribute that is used to prevent an invalid Umbraco form request route string on a request.
+    /// Attribute used to check that the request contains a valid Umbraco form request string.
    /// </summary>
    /// <seealso cref="System.Web.Mvc.FilterAttribute" />
    /// <seealso cref="System.Web.Mvc.IAuthorizationFilter" />
+    /// <remarks>
+    /// Applying this attribute/filter to a <see cref="SurfaceController"/> or SurfaceController Action will ensure that the Action can only be executed
+    /// when it is routed to from within Umbraco, typically when rendering a form with BegingUmbracoForm. It will mean that the natural MVC route for this Action
+    /// will fail with a <see cref="HttpUmbracoFormRouteStringException"/>.
+    /// </remarks>
    [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = false, Inherited = true)]
    public sealed class ValidateUmbracoFormRouteStringAttribute : FilterAttribute, IAuthorizationFilter
    {
@@ -26,27 +32,31 @@ namespace Umbraco.Web.Mvc
        public void OnAuthorization(AuthorizationContext filterContext)
        {
            if (filterContext == null)
-            {
                throw new ArgumentNullException(nameof(filterContext));
-            }

            var ufprt = filterContext.HttpContext.Request["ufprt"];
+            ValidateRouteString(ufprt, filterContext.ActionDescriptor?.ControllerDescriptor.ControllerName, filterContext.ActionDescriptor?.ActionName, filterContext.RouteData?.DataTokens["area"]?.ToString());
+        }
+
+        public void ValidateRouteString(string ufprt, string currentController, string currentAction, string currentArea)
+        {
            if (ufprt.IsNullOrWhiteSpace())
            {
-                throw new HttpUmbracoFormRouteStringException("The required Umbraco request data is invalid.");
+                throw new HttpUmbracoFormRouteStringException("The required request field \"ufprt\" is not present.");
            }

            if (!UmbracoHelper.DecryptAndValidateEncryptedRouteString(ufprt, out var additionalDataParts))
            {
-                throw new HttpUmbracoFormRouteStringException("The required Umbraco request data is invalid.");
+                throw new HttpUmbracoFormRouteStringException("The Umbraco form request route string could not be decrypted.");
            }

-            if (!additionalDataParts[RenderRouteHandler.ReservedAdditionalKeys.Controller].InvariantEquals(filterContext.ActionDescriptor.ControllerDescriptor.ControllerName) ||
-                !additionalDataParts[RenderRouteHandler.ReservedAdditionalKeys.Action].InvariantEquals(filterContext.ActionDescriptor.ActionName) ||
-                (!additionalDataParts[RenderRouteHandler.ReservedAdditionalKeys.Area].IsNullOrWhiteSpace() && !additionalDataParts[RenderRouteHandler.ReservedAdditionalKeys.Area].InvariantEquals(filterContext.RouteData.DataTokens["area"]?.ToString())))
+            if (!additionalDataParts[RenderRouteHandler.ReservedAdditionalKeys.Controller].InvariantEquals(currentController) ||
+                !additionalDataParts[RenderRouteHandler.ReservedAdditionalKeys.Action].InvariantEquals(currentAction) ||
+                (!additionalDataParts[RenderRouteHandler.ReservedAdditionalKeys.Area].IsNullOrWhiteSpace() && !additionalDataParts[RenderRouteHandler.ReservedAdditionalKeys.Area].InvariantEquals(currentArea)))
            {
-                throw new HttpUmbracoFormRouteStringException("The required Umbraco request data is invalid.");
+                throw new HttpUmbracoFormRouteStringException("The provided Umbraco form request route string was meant for a different controller and action.");
            }
+
        }
    }
 }
--- a/src/Umbraco.Web/UmbracoHelper.cs
+++ b/src/Umbraco.Web/UmbracoHelper.cs
@@ -1656,7 +1656,7 @@ namespace Umbraco.Web
            {
                decryptedString = ufprt.DecryptWithMachineKey();
            }
-            catch (FormatException)
+            catch (Exception ex) when (ex is FormatException || ex is ArgumentException)
            {
                LogHelper.Warn<UmbracoHelper>("A value was detected in the ufprt parameter but Umbraco could not decrypt the string");
                parts = null;