Adds a parameter to BeginUmbracoForm to allow the disabling of the creation of an antiforgery token. (#13037)

* Addes a parameter to BeginUmbracoForm to allow the disabling of the creation of an antiforgery token. * Updated project references for Forms and Deploy in the JsonSchema project. * Revert "Updated project references for Forms and Deploy in the JsonSchema project." This reverts commit a749b45ab8ae1815c8c321fad8a5c48a2b525410. Co-authored-by: Zeegaan <nge@umbraco.dk>
2022-10-05 12:56:42 +02:00
parent a745250d39
commit efb994ecf7
1 changed files with 106 additions and 47 deletions
--- a/src/Umbraco.Web.Website/Extensions/HtmlHelperRenderExtensions.cs
+++ b/src/Umbraco.Web.Website/Extensions/HtmlHelperRenderExtensions.cs
@@ -391,6 +391,28 @@ public static class HtmlHelperRenderExtensions
        string action,
        string controllerName,
        object? additionalRouteVals,
+        IDictionary<string, object?> htmlAttributes) => html.BeginUmbracoForm(action, controllerName, additionalRouteVals, htmlAttributes, FormMethod.Post);
+
+    /// <summary>
+    ///     Helper method to create a new form to execute in the Umbraco request pipeline against a locally declared controller
+    /// </summary>
+    public static MvcForm BeginUmbracoForm(
+        this IHtmlHelper html,
+        string action,
+        string controllerName,
+        object? additionalRouteVals,
+        IDictionary<string, object?> htmlAttributes,
+        FormMethod method) => html.BeginUmbracoForm(action, controllerName, additionalRouteVals, null, htmlAttributes, method);
+
+    /// <summary>
+    ///     Helper method to create a new form to execute in the Umbraco request pipeline against a locally declared controller
+    /// </summary>
+    public static MvcForm BeginUmbracoForm(
+        this IHtmlHelper html,
+        string action,
+        string controllerName,
+        object? additionalRouteVals,
+        bool? antiforgery,
        IDictionary<string, object?> htmlAttributes,
        FormMethod method)
    {
@@ -418,44 +440,7 @@ public static class HtmlHelperRenderExtensions
                nameof(controllerName));
        }

-        return html.BeginUmbracoForm(action, controllerName, string.Empty, additionalRouteVals, htmlAttributes, method);
-    }
-
-    /// <summary>
-    ///     Helper method to create a new form to execute in the Umbraco request pipeline against a locally declared controller
-    /// </summary>
-    public static MvcForm BeginUmbracoForm(
-        this IHtmlHelper html,
-        string action,
-        string controllerName,
-        object? additionalRouteVals,
-        IDictionary<string, object?> htmlAttributes)
-    {
-        if (action == null)
-        {
-            throw new ArgumentNullException(nameof(action));
-        }
-
-        if (string.IsNullOrWhiteSpace(action))
-        {
-            throw new ArgumentException(
-                "Value can't be empty or consist only of white-space characters.",
-                nameof(action));
-        }
-
-        if (controllerName == null)
-        {
-            throw new ArgumentNullException(nameof(controllerName));
-        }
-
-        if (string.IsNullOrWhiteSpace(controllerName))
-        {
-            throw new ArgumentException(
-                "Value can't be empty or consist only of white-space characters.",
-                nameof(controllerName));
-        }
-
-        return html.BeginUmbracoForm(action, controllerName, string.Empty, additionalRouteVals, htmlAttributes);
+        return html.BeginUmbracoForm(action, controllerName, string.Empty, additionalRouteVals, antiforgery, htmlAttributes, method);
    }

    /// <summary>
@@ -477,6 +462,13 @@ public static class HtmlHelperRenderExtensions
    public static MvcForm BeginUmbracoForm<T>(this IHtmlHelper html, string action, FormMethod method)
        where T : SurfaceController => html.BeginUmbracoForm(action, typeof(T), method);

+    /// <summary>
+    ///     Helper method to create a new form to execute in the Umbraco request pipeline to a surface controller plugin
+    /// </summary>
+    /// <typeparam name="T">The <see cref="SurfaceController" /> type</typeparam>
+    public static MvcForm BeginUmbracoForm<T>(this IHtmlHelper html, string action, FormMethod method, bool? antiforgery)
+        where T : SurfaceController => html.BeginUmbracoForm(action, typeof(T), null, antiforgery, new Dictionary<string, object?>(), method);
+
    /// <summary>
    ///     Helper method to create a new form to execute in the Umbraco request pipeline to a surface controller plugin
    /// </summary>
@@ -524,6 +516,21 @@ public static class HtmlHelperRenderExtensions
    public static MvcForm BeginUmbracoForm<T>(this IHtmlHelper html, string action, object additionalRouteVals)
        where T : SurfaceController => html.BeginUmbracoForm(action, typeof(T), additionalRouteVals);

+    /// <summary>
+    ///     Helper method to create a new form to execute in the Umbraco request pipeline to a surface controller plugin
+    /// </summary>
+    public static MvcForm BeginUmbracoForm(
+        this IHtmlHelper html,
+        string action,
+        Type surfaceType,
+        object additionalRouteVals,
+        object htmlAttributes) =>
+        html.BeginUmbracoForm(
+            action,
+            surfaceType,
+            additionalRouteVals,
+            HtmlHelper.AnonymousObjectToHtmlAttributes(htmlAttributes));
+
    /// <summary>
    ///     Helper method to create a new form to execute in the Umbraco request pipeline to a surface controller plugin
    /// </summary>
@@ -549,12 +556,16 @@ public static class HtmlHelperRenderExtensions
        string action,
        Type surfaceType,
        object additionalRouteVals,
-        object htmlAttributes) =>
+        object htmlAttributes,
+        FormMethod method,
+        bool? antiforgery) =>
        html.BeginUmbracoForm(
            action,
            surfaceType,
            additionalRouteVals,
-            HtmlHelper.AnonymousObjectToHtmlAttributes(htmlAttributes));
+            antiforgery,
+            HtmlHelper.AnonymousObjectToHtmlAttributes(htmlAttributes),
+            method);

    /// <summary>
    ///     Helper method to create a new form to execute in the Umbraco request pipeline to a surface controller plugin
@@ -569,6 +580,20 @@ public static class HtmlHelperRenderExtensions
        where T : SurfaceController =>
        html.BeginUmbracoForm(action, typeof(T), additionalRouteVals, htmlAttributes, method);

+    /// <summary>
+    ///     Helper method to create a new form to execute in the Umbraco request pipeline to a surface controller plugin
+    /// </summary>
+    /// <typeparam name="T">The <see cref="SurfaceController" /> type</typeparam>
+    public static MvcForm BeginUmbracoForm<T>(
+        this IHtmlHelper html,
+        string action,
+        object additionalRouteVals,
+        object htmlAttributes,
+        FormMethod method,
+        bool? antiforgery)
+        where T : SurfaceController =>
+        html.BeginUmbracoForm(action, typeof(T), additionalRouteVals, htmlAttributes, method, antiforgery);
+
    /// <summary>
    ///     Helper method to create a new form to execute in the Umbraco request pipeline to a surface controller plugin
    /// </summary>
@@ -588,6 +613,18 @@ public static class HtmlHelperRenderExtensions
        Type surfaceType,
        object? additionalRouteVals,
        IDictionary<string, object?> htmlAttributes,
+        FormMethod method) => html.BeginUmbracoForm(action, surfaceType, additionalRouteVals, null, htmlAttributes, method);
+
+    /// <summary>
+    ///     Helper method to create a new form to execute in the Umbraco request pipeline to a surface controller plugin
+    /// </summary>
+    public static MvcForm BeginUmbracoForm(
+        this IHtmlHelper html,
+        string action,
+        Type surfaceType,
+        object? additionalRouteVals,
+        bool? antiforgery,
+        IDictionary<string, object?> htmlAttributes,
        FormMethod method)
    {
        if (action == null)
@@ -630,6 +667,7 @@ public static class HtmlHelperRenderExtensions
            metaData.ControllerName,
            area!,
            additionalRouteVals,
+            antiforgery,
            htmlAttributes,
            method);
    }
@@ -673,7 +711,7 @@ public static class HtmlHelperRenderExtensions
    ///     Helper method to create a new form to execute in the Umbraco request pipeline to a surface controller plugin
    /// </summary>
    public static MvcForm BeginUmbracoForm(this IHtmlHelper html, string action, string controllerName, string area, FormMethod method)
-        => html.BeginUmbracoForm(action, controllerName, area, null, new Dictionary<string, object?>(), method);
+        => html.BeginUmbracoForm(action, controllerName, area, additionalRouteVals: null, new Dictionary<string, object?>(), method);

    /// <summary>
    ///     Helper method to create a new form to execute in the Umbraco request pipeline to a surface controller plugin
@@ -692,6 +730,20 @@ public static class HtmlHelperRenderExtensions
        object? additionalRouteVals,
        IDictionary<string, object?> htmlAttributes,
        FormMethod method)
+        => html.BeginUmbracoForm(action, controllerName, area, additionalRouteVals, null, htmlAttributes, method);
+
+    /// <summary>
+    ///     Helper method to create a new form to execute in the Umbraco request pipeline to a surface controller plugin
+    /// </summary>
+    public static MvcForm BeginUmbracoForm(
+        this IHtmlHelper html,
+        string action,
+        string? controllerName,
+        string area,
+        object? additionalRouteVals,
+        bool? antiforgery,
+        IDictionary<string, object?> htmlAttributes,
+        FormMethod method)
    {
        if (action == null)
        {
@@ -718,7 +770,7 @@ public static class HtmlHelperRenderExtensions
        IUmbracoContextAccessor umbracoContextAccessor = GetRequiredService<IUmbracoContextAccessor>(html);
        IUmbracoContext umbracoContext = umbracoContextAccessor.GetRequiredUmbracoContext();
        var formAction = umbracoContext.OriginalRequestUrl.PathAndQuery;
-        return html.RenderForm(formAction, method, htmlAttributes, controllerName, action, area, additionalRouteVals);
+        return html.RenderForm(formAction, method, htmlAttributes, controllerName, action, area, antiforgery, additionalRouteVals);
    }

    /// <summary>
@@ -753,6 +805,7 @@ public static class HtmlHelperRenderExtensions
        string surfaceController,
        string surfaceAction,
        string area,
+        bool? antiforgery = null,
        object? additionalRouteVals = null)
    {
        // ensure that the multipart/form-data is added to the HTML attributes
@@ -781,7 +834,7 @@ public static class HtmlHelperRenderExtensions
        HtmlEncoder htmlEncoder = GetRequiredService<HtmlEncoder>(htmlHelper);

        // new UmbracoForm:
-        var theForm = new UmbracoForm(htmlHelper.ViewContext, htmlEncoder, surfaceController, surfaceAction, area, additionalRouteVals);
+        var theForm = new UmbracoForm(htmlHelper.ViewContext, htmlEncoder, surfaceController, surfaceAction, area, antiforgery, additionalRouteVals);

        if (traditionalJavascriptEnabled)
        {
@@ -798,6 +851,7 @@ public static class HtmlHelperRenderExtensions
    {
        private readonly string _surfaceControllerInput;
        private readonly ViewContext _viewContext;
+        private readonly bool? _antiforgery;

        /// <summary>
        ///     Initializes a new instance of the <see cref="UmbracoForm" /> class.
@@ -808,10 +862,12 @@ public static class HtmlHelperRenderExtensions
            string controllerName,
            string controllerAction,
            string area,
+            bool? antiforgery = null,
            object? additionalRouteVals = null)
            : base(viewContext, htmlEncoder)
        {
            _viewContext = viewContext;
+            _antiforgery = antiforgery;
            _surfaceControllerInput = GetSurfaceControllerHiddenInput(
                GetRequiredService<IDataProtectionProvider>(viewContext),
                controllerName,
@@ -822,10 +878,13 @@ public static class HtmlHelperRenderExtensions

        protected override void GenerateEndForm()
        {
-            // Always output an anti-forgery token
-            IAntiforgery antiforgery = _viewContext.HttpContext.RequestServices.GetRequiredService<IAntiforgery>();
-            IHtmlContent antiforgeryHtml = antiforgery.GetHtml(_viewContext.HttpContext);
-            _viewContext.Writer.Write(antiforgeryHtml.ToHtmlString());
+            // Always output an anti-forgery token unless explicitly requested to omit.
+            if (!_antiforgery.HasValue || _antiforgery.Value)
+            {
+                IAntiforgery antiforgery = _viewContext.HttpContext.RequestServices.GetRequiredService<IAntiforgery>();
+                IHtmlContent antiforgeryHtml = antiforgery.GetHtml(_viewContext.HttpContext);
+                _viewContext.Writer.Write(antiforgeryHtml.ToHtmlString());
+            }

            // write out the hidden surface form routes
            _viewContext.Writer.Write(_surfaceControllerInput);