CRSF protection on deletes

src/Admin/Controllers/OrganizationsController.cs

@@ -80,6 +80,8 @@ namespace Bit.Admin.Controllers
             return RedirectToAction("Edit", new { id });
         }
 
+        [HttpPost]
+        [ValidateAntiForgeryToken]
         public async Task<IActionResult> Delete(Guid id)
         {
             var organization = await _organizationRepository.GetByIdAsync(id);

src/Admin/Controllers/UsersController.cs

@@ -77,6 +77,8 @@ namespace Bit.Admin.Controllers
             return RedirectToAction("Edit", new { id });
         }
 
+        [HttpPost]
+        [ValidateAntiForgeryToken]
         public async Task<IActionResult> Delete(Guid id)
         {
             var user = await _userRepository.GetByIdAsync(id);

src/Admin/Views/Organizations/Edit.cshtml

@@ -93,7 +93,7 @@
     <dt class="col-sm-2">Modified</dt>
     <dd class="col-sm-10">@Model.Organization.RevisionDate.ToString()</dd>
 </dl>
-<form method="post">
+<form method="post" id="edit-form">
     <h2>General</h2>
     <div class="row">
         <div class="col-sm">
@@ -526,16 +526,16 @@
             </div>
         </div>
     </div>
-    <div class="d-flex mt-4">
-        <button type="submit" class="btn btn-primary">Save</button>
-        <div class="ml-auto d-flex">
-            <button class="btn btn-secondary mr-2" type="button" id="enterprise-trial">
-                Enterprise Trial
-            </button>
-            <a class="btn btn-danger" asp-action="Delete" asp-route-id="@Model.Organization.Id"
-               onclick="return confirm('Are you sure you want to delete this organization (@Model.Organization.Name)?')">
-                Delete
-            </a>
-        </div>
-    </div>
 </form>
+<div class="d-flex mt-4">
+    <button type="submit" class="btn btn-primary" form="edit-form">Save</button>
+    <div class="ml-auto d-flex">
+        <button class="btn btn-secondary mr-2" type="button" id="enterprise-trial">
+            Enterprise Trial
+        </button>
+        <form asp-action="Delete" asp-route-id="@Model.Organization.Id"
+              onsubmit="return confirm('Are you sure you want to delete this organization (@Model.Organization.Name)?')">
+            <button class="btn btn-danger" type="submit">Delete</button>
+        </form>
+    </div>
+</div>

src/Admin/Views/Users/Edit.cshtml

@@ -73,7 +73,7 @@
     <dt class="col-sm-2">Account Modified</dt>
     <dd class="col-sm-10">@Model.User.AccountRevisionDate.ToString()</dd>
 </dl>
-<form method="post">
+<form method="post" id="edit-form">
     <h2>General</h2>
     <div class="row">
         <div class="col-sm">
@@ -161,16 +161,16 @@
             </div>
         </div>
     </div>
-    <div class="d-flex mt-4">
-        <button type="submit" class="btn btn-primary">Save</button>
-        <div class="ml-auto d-flex">
-            <button class="btn btn-secondary mr-2" type="button" id="upgrade-premium">
-                Upgrade Premium
-            </button>
-            <a class="btn btn-danger ml-auto" asp-action="Delete" asp-route-id="@Model.User.Id"
-               onclick="return confirm('Are you sure you want to delete this user (@Model.User.Email)?')">
-                Delete
-            </a>
-        </div>
-    </div>
 </form>
+<div class="d-flex mt-4">
+    <button type="submit" class="btn btn-primary" form="edit-form">Save</button>
+    <div class="ml-auto d-flex">
+        <button class="btn btn-secondary mr-2" type="button" id="upgrade-premium">
+            Upgrade Premium
+        </button>
+        <form asp-action="Delete" asp-route-id="@Model.User.Id"
+              onsubmit="return confirm('Are you sure you want to delete this user (@Model.User.Email)?')">
+            <button class="btn btn-danger" type="submit">Delete</button>
+        </form>
+    </div>
+</div>