Menu
I have a grid in one of my views and created an Actions column in it. In that column are buttons for editing and deleting. When the user clicks the delete button I use jQuery to access its click event.
Here is what my ajax delete looks like:
$(document).on('click', '.btnDeleteRole', function (e) {
e.preventDefault();
if (confirm("Are you sure you want to delete this record?")) {
var $this = $(this); //store $(this) to a variable
var roleId = $this.attr('data-role-Id');
$.ajax({
type: "POST",
url: "/admin/roles/delete",
data: { id: roleId },
dataType: "html",
success: function (data) {
// rebind kendo grid
}
});
}
});
Here is what my delete action method looks like:
// POST: Roles/Delete/5
[Route("roles/delete")]
[HttpPost]
public async Task<IActionResult> RoleDelete(string id)
{
IdentityRole role = await _roleManager.FindByIdAsync(id);
await _roleManager.DeleteAsync(role);
return RedirectToAction("RoleIndex");
}
Since the delete button isn't part of a form I can't have an AntiForgeryToken annotation above my ActionMethod..
Is deleting items like this safe?
684
No, it isn't safe. If you don't use antiforgerytoken you are exposed to CSRF attacks, as described here.
You just need to send the main form hidden token in your grid delete posts. You don't need one token per row, as you have the form's hidden token and the cookie's token which is all you need.
130
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
