Merge pull request #514 from santhoshb-msft/sb-aft-fixes1

added aft validation

src/AdminSite/Controllers/ApplicationConfigController.cs

@@ -85,6 +85,7 @@ public IActionResult EmailTemplateDetails(string status)
     /// return the modified EmailTemplate.
     /// </returns>
     [HttpPost]
+    [ValidateAntiForgeryToken]
     public IActionResult EmailTemplateDetails(EmailTemplate emailTemplate)
     {
         this.emailTemplateRepository.SaveEmailTemplateByStatus(emailTemplate);
@@ -116,6 +117,7 @@ public IActionResult ApplicationConfigDetails(int Id)
     /// return the changed app config item.
     /// </returns>
     [HttpPost]
+    [ValidateAntiForgeryToken]
     public IActionResult ApplicationConfigDetails(ApplicationConfiguration appConfig)
     {
         this.appConfigService.SaveAppConfig(appConfig);
@@ -132,6 +134,7 @@ public IActionResult ApplicationConfigDetails(ApplicationConfiguration appConfig
     /// <returns>RedirectToAction.</returns>
     [HttpPost("FileUpload")]
     [ServiceFilter(typeof(ExceptionHandlerAttribute))]
+    [ValidateAntiForgeryToken]
     public IActionResult PostUpload(List<IFormFile> files)
     {
         if (!(files?.Any() == true))

src/AdminSite/Controllers/HomeController.cs

@@ -571,6 +571,7 @@ public IActionResult SubscriptionQuantityDetail(Guid subscriptionId)
     /// <param name="subscriptionData">The subscription data.</param>
     /// <returns> The <see cref="IActionResult" />.</returns>
     [HttpPost]
+    [ValidateAntiForgeryToken]
     public IActionResult ManageSubscriptionUsage(SubscriptionUsageViewModel subscriptionData)
     {
         this.logger.LogInformation("Home Controller / ManageSubscriptionUsage  subscriptionData: {0}", JsonSerializer.Serialize(subscriptionData));
@@ -685,6 +686,7 @@ public IActionResult Error()
     /// <param name="subscriptionDetail">The subscription detail.</param>
     /// <returns> IActionResult.</returns>
     [HttpPost]
+    [ValidateAntiForgeryToken]
     public async Task<IActionResult> ChangeSubscriptionPlan(SubscriptionResult subscriptionDetail)
     {
         this.logger.LogInformation("Home Controller / ChangeSubscriptionPlan  subscriptionDetail:{0}", JsonSerializer.Serialize(subscriptionDetail));
@@ -757,6 +759,7 @@ public async Task<IActionResult> ChangeSubscriptionPlan(SubscriptionResult subsc
     /// <param name="subscriptionDetail">The subscription detail.</param>
     /// <returns>Changes subscription quantity.</returns>
     [HttpPost]
+    [ValidateAntiForgeryToken]
     public async Task<IActionResult> ChangeSubscriptionQuantity(SubscriptionResult subscriptionDetail)
     {
         this.logger.LogInformation("Home Controller / ChangeSubscriptionPlan  subscriptionDetail:{0}", JsonSerializer.Serialize(subscriptionDetail));
@@ -832,6 +835,7 @@ public async Task<IActionResult> ChangeSubscriptionQuantity(SubscriptionResult s
     }
 
     [HttpPost]
+    [ValidateAntiForgeryToken]
     public IActionResult FetchAllSubscriptions()
     {
         var currentUserId = this.userService.GetUserIdFromEmailAddress(this.CurrentUserEmailAddress);

src/AdminSite/Controllers/OffersController.cs

@@ -146,6 +146,7 @@ public IActionResult OfferDetails(Guid offerGuid)
     /// return All subscription.
     /// </returns>
     [HttpPost]
+    [ValidateAntiForgeryToken]
     public IActionResult OfferDetails(OfferModel offersData)
     {
         this.logger.LogInformation("Offers Controller / OfferDetails:  offerGuid {0}", JsonSerializer.Serialize(offersData));

src/AdminSite/Controllers/PlansController.cs

@@ -120,6 +120,7 @@ public IActionResult PlanDetails(Guid planGuId)
     /// return All subscription.
     /// </returns>
     [HttpPost]
+    [ValidateAntiForgeryToken]
     public IActionResult PlanDetails(PlansModel plans)
     {
         this.logger.LogInformation("Plans Controller / PlanDetails:  plans {0}", JsonSerializer.Serialize(plans));

src/AdminSite/Views/Home/Subscriptions.cshtml

@@ -217,9 +217,16 @@
                 }
             });
     }
+
+    var t = $("input[name='__RequestVerificationToken']").val();
+
     function fetchAllSubscriptions() {
         $.ajax({
             type: "Post",
+            headers:
+            {
+                "RequestVerificationToken": t
+            },
             url: "FetchAllSubscriptions",
             contentType: "application/json; charset=utf-8",
             datatype: "json",

src/CustomerSite/Controllers/HomeController.cs

@@ -522,6 +522,7 @@ public IActionResult SubscriptionDetails(Guid subscriptionId, string planId, str
     /// Subscriptions operation.
     /// </returns>
     [HttpPost]
+    [ValidateAntiForgeryToken]
     public IActionResult SubscriptionOperation(SubscriptionResultExtension subscriptionResultExtension, Guid subscriptionId, string planId, string operation)
     {
         this.logger.LogInformation("Home Controller / SubscriptionOperation subscriptionId:{0} :: planId : {1} :: operation:{2}", JsonSerializer.Serialize(subscriptionId), JsonSerializer.Serialize(planId), JsonSerializer.Serialize(operation));
@@ -632,6 +633,7 @@ public IActionResult SubscriptionOperation(SubscriptionResultExtension subscript
     /// <param name="subscriptionDetail">The subscription detail.</param>
     /// <returns>Changes subscription plan.</returns>
     [HttpPost]
+    [ValidateAntiForgeryToken]
     public async Task<IActionResult> ChangeSubscriptionPlan(SubscriptionResult subscriptionDetail)
     {
         this.logger.LogInformation("Home Controller / ChangeSubscriptionPlan  subscriptionDetail:{0}", JsonSerializer.Serialize(subscriptionDetail));
@@ -709,6 +711,7 @@ public async Task<IActionResult> ChangeSubscriptionPlan(SubscriptionResult subsc
     /// <param name="subscriptionDetail">The subscription detail.</param>
     /// <returns>Changes subscription quantity.</returns>
     [HttpPost]
+    [ValidateAntiForgeryToken]
     public async Task<IActionResult> ChangeSubscriptionQuantity(SubscriptionResult subscriptionDetail)
     {
         this.logger.LogInformation("Home Controller / ChangeSubscriptionPlan  subscriptionDetail:{0}", JsonSerializer.Serialize(subscriptionDetail));