And here we go. Done. Please see changeset f798ea024d9f.
Thanks again for this contribution!
//any-forgery does not work with this contentType for some reasons
//data: addAntiForgeryToken
read: {
url: "@Html.Raw(Url.Action("AllSettings", "Setting"))",
type: "POST",
dataType: "json",
contentType: "application/json",
beforeSend : function (req) {
var token = $('[name=__RequestVerificationToken]').val();
req.setRequestHeader('__RequestVerificationToken', token);
}
},
public virtual void OnAuthorization(AuthorizationContext filterContext)
{
if (filterContext == null)
throw new ArgumentNullException("filterContext");
if (_ignore)
return;
//don't apply filter to child methods
if (filterContext.IsChildAction)
return;
//only POST requests
if (!String.Equals(filterContext.HttpContext.Request.HttpMethod, "POST", StringComparison.OrdinalIgnoreCase))
return;
if (!DataSettingsHelper.DatabaseIsInstalled())
return;
var securitySettings = EngineContext.Current.Resolve<SecuritySettings>();
if (!securitySettings.EnableXsrfProtectionForAdminArea)
return;
var httpContext = filterContext.HttpContext;
if (httpContext.Request.Headers["__RequestVerificationToken"] != null)
{
var cookie = httpContext.Request.Cookies[AntiForgeryConfig.CookieName];
AntiForgery.Validate(cookie != null ? cookie.Value : null, httpContext.Request.Headers["__RequestVerificationToken"]);
return;
}
var validator = new ValidateAntiForgeryTokenAttribute();
validator.OnAuthorization(filterContext);
}
[AdminAntiForgery(true)]
from the controller.