Menu
I am building an Orchard CMS module that I am testing on an Orchard 1.3.10 site. The module displays a details view for one of my entities and I have a "favorites" button that I would like to click and do an ajax post to a controller action to save the entity as a favorite in the database.
On the view I have the following code:
<div style="padding: 10px;">
<span data-id="@Model.Id" id="addFavorite" style="cursor: pointer;">
[Add Favorite]
</span>
</div>
<script type="text/javascript">
$("#addFavorite").click(function () {
alert("here we go...");
$.ajax({
type: "post",
dataType: "",
url: "/orchardlocal/mymodule/stuff/AddFavorite",
data: { id: $(this).data("id") },
success: function (response) {
alert("it worked");
}
});
});
</script>
My controller action is...
[HttpPost]
public ActionResult AddFavorite(int id)
{
return View();
}
When I run the site without being logged into Orchard, this code posts back just fine. If I log in and click on Add Favorite, I get this exception...
A required anti-forgery token was not supplied or was invalid.
System.Web.Mvc.HttpAntiForgeryException was unhandled by user code Message=A required anti-forgery token was not supplied or was invalid. Source=System.Web.WebPages ErrorCode=-2147467259 WebEventCode=0 StackTrace: at System.Web.Helpers.AntiForgeryWorker.Validate(HttpContextBase context, String salt) at System.Web.Helpers.AntiForgery.Validate(HttpContextBase httpContext, String salt) at System.Web.Mvc.ValidateAntiForgeryTokenAttribute.OnAuthorization(AuthorizationContext > filterContext) at Orchard.Mvc.AntiForgery.AntiForgeryAuthorizationFilter.OnAuthorization(AuthorizationContext filterContext) in C:\Code\OrchardDev2\src\Orchard\Mvc\AntiForgery\AntiForgeryAuthorizationFilter.cs:line 37 at System.Web.Mvc.ControllerActionInvoker.InvokeAuthorizationFilters(ControllerContext controllerContext, IList`1 filters, ActionDescriptor actionDescriptor) at System.Web.Mvc.ControllerActionInvoker.InvokeAction(ControllerContext controllerContext, String actionName) InnerException:
Why does it treat the post differently when logged in and not?
How can I supply an anti-forger token to avoid this?
Thanks, Brian
847
ASP.NET MVC doesn't support the generation of raw anti-forgery tokens by default. Fortunately Orchard provides an extension method for that.
You can simply change your ajax call as is:
$.ajax({
type: "post",
dataType: "",
url: "/orchardlocal/mymodule/stuff/AddFavorite",
data: {
id: $(this).data("id") },
__RequestVerificationToken: '@Html.AntiForgeryTokenValueOrchard()'
},
success: function (response) {
alert("it worked");
}
});
This technique is useful as you don't need an existing FORM on your page. Though this solution is only valid if the javascript is rendered from a Razor view.
There is still a solution if you have a separate script file from your view, which is to save the anti-forgery token inside a javascript variable declared from the view, then use it from the script:
@using(Script.Head()) {
<script type="text/javascript">
//<![CDATA[
var antiForgeryToken = '@Html.AntiForgeryTokenValueOrchard()';
//]]>
</script>
}
Then from the script:
data: {
id: $(this).data("id") },
__RequestVerificationToken: antiForgeryToken
}
If not, then the solution proposed by Darin would be he correct approach.
73
How can I supply an anti-forger token to avoid this?
This will depend on where the hidden field containing the anti forgery token is located on the page. For example:
$("#addFavorite").click(function () {
var token = $(':input[name="__RequestVerificationToken"]').val();
$.ajax({
type: "post",
dataType: "",
url: "/orchardlocal/mymodule/stuff/AddFavorite",
data: {
__RequestVerificationToken: token,
id: $(this).data("id")
},
success: function (response) {
alert("it worked");
}
});
});
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
