add missing csrf token validation to admin (#1696)

2024-11-25 12:45:18 +01:00 · 2021-11-09 11:22:08 -05:00 · 2021-11-09 11:22:08 -05:00 · fcc1a4e10c
commit fcc1a4e10c
parent 9582e94232
2 changed files with 10 additions and 13 deletions
--- a/src/Admin/Controllers/ProvidersController.cs
+++ b/src/Admin/Controllers/ProvidersController.cs
@ -70,6 +70,7 @@ namespace Bit.Admin.Controllers
        }

        [HttpPost]
+        [ValidateAntiForgeryToken]
        public async Task<IActionResult> Create(CreateProviderModel model)
        {
            if (!ModelState.IsValid)
--- a/src/Admin/Controllers/ToolsController.cs
+++ b/src/Admin/Controllers/ToolsController.cs
@ -60,6 +60,7 @@ namespace Bit.Admin.Controllers
        }

        [HttpPost]
+        [ValidateAntiForgeryToken]
        public async Task<IActionResult> ChargeBraintree(ChargeBraintreeModel model)
        {
            if (!ModelState.IsValid)
@ -121,6 +122,7 @@ namespace Bit.Admin.Controllers
        }

        [HttpPost]
+        [ValidateAntiForgeryToken]
        public async Task<IActionResult> CreateTransaction(CreateUpdateTransactionModel model)
        {
            if (!ModelState.IsValid)
@ -150,6 +152,7 @@ namespace Bit.Admin.Controllers
        }

        [HttpPost]
+        [ValidateAntiForgeryToken]
        public async Task<IActionResult> EditTransaction(Guid id, CreateUpdateTransactionModel model)
        {
            if (!ModelState.IsValid)
@ -173,6 +176,7 @@ namespace Bit.Admin.Controllers
        }

        [HttpPost]
+        [ValidateAntiForgeryToken]
        public async Task<IActionResult> PromoteAdmin(PromoteAdminModel model)
        {
            if (!ModelState.IsValid)
@ -208,6 +212,7 @@ namespace Bit.Admin.Controllers
        }

        [HttpPost]
+        [ValidateAntiForgeryToken]
        public async Task<IActionResult> GenerateLicense(LicenseModel model)
        {
            if (!ModelState.IsValid)
@ -314,8 +319,9 @@ namespace Bit.Admin.Controllers
            };

            return View(model);
-        }
-
+        }
+
+        [ValidateAntiForgeryToken]
        public async Task<IActionResult> TaxRateUpload(IFormFile file)
        {
            if (file == null || file.Length == 0)
@ -382,6 +388,7 @@ namespace Bit.Admin.Controllers
        }

        [HttpPost]
+        [ValidateAntiForgeryToken]
        public async Task<IActionResult> TaxRateAddEdit(TaxRateAddEditModel model) 
        {
            var existingRateCheck = await _taxRateRepository.GetByLocationAsync(new TaxRate() { Country = model.Country, PostalCode = model.PostalCode });
@ -416,17 +423,6 @@ namespace Bit.Admin.Controllers
            return RedirectToAction("TaxRate");
        }

-        [HttpPost]
-        public async Task<IActionResult> TaxRateUpdate(TaxRate model) 
-        {
-            if (!string.IsNullOrWhiteSpace(model.Id))
-            {
-                await _paymentService.UpdateTaxRateAsync(model);
-            }
-
-            return RedirectToAction("TaxRate");
-        }
-
        public async Task<IActionResult> TaxRateArchive(string stripeTaxRateId) 
        {
            if (!string.IsNullOrWhiteSpace(stripeTaxRateId))