|
3 | 3 | using Microsoft.AspNetCore.Mvc.Rendering; |
4 | 4 | using Microsoft.Extensions.Logging; |
5 | 5 | using Microsoft.Extensions.Options; |
| 6 | +using Microsoft.Extensions.Primitives; |
6 | 7 | using Sitecore.AspNetCore.SDK.LayoutService.Client.Interfaces; |
7 | 8 | using Sitecore.AspNetCore.SDK.LayoutService.Client.Request; |
8 | 9 | using Sitecore.AspNetCore.SDK.LayoutService.Client.Response; |
@@ -47,9 +48,8 @@ public async Task Invoke(HttpContext httpContext, IViewComponentHelper viewCompo |
47 | 48 | ArgumentNullException.ThrowIfNull(viewComponentHelper); |
48 | 49 | ArgumentNullException.ThrowIfNull(htmlHelper); |
49 | 50 |
|
50 | | - if (IsEditingRequest(httpContext)) |
| 51 | + if (IsValidEditingRequest(httpContext)) |
51 | 52 | { |
52 | | - // this protects from multiple time executions when Global and Attribute based configurations are used at the same time. |
53 | 53 | if (httpContext.Items.ContainsKey(nameof(PagesRenderMiddleware))) |
54 | 54 | { |
55 | 55 | throw new ApplicationException(Resources.Exception_PagesRenderMiddlewareAlreadyRegistered); |
@@ -82,11 +82,35 @@ public async Task Invoke(HttpContext httpContext, IViewComponentHelper viewCompo |
82 | 82 | await next(httpContext).ConfigureAwait(false); |
83 | 83 | } |
84 | 84 |
|
85 | | - private static bool IsEditingRequest(HttpContext context) |
| 85 | + private bool IsValidEditingRequest(HttpContext context) |
86 | 86 | { |
87 | | - if (context.Request.Query.TryGetValue("mode", out var mode)) |
| 87 | + if (context.Request.Path == options.RenderEndpoint) |
88 | 88 | { |
89 | | - return mode == "edit"; |
| 89 | + return false; |
| 90 | + } |
| 91 | + |
| 92 | + if (!context.Request.Query.TryGetValue("mode", out var mode) || mode != "edit") |
| 93 | + { |
| 94 | + return false; |
| 95 | + } |
| 96 | + |
| 97 | + if (!IsValidEditingSecret(context.Request)) |
| 98 | + { |
| 99 | + return false; |
| 100 | + } |
| 101 | + |
| 102 | + return true; |
| 103 | + } |
| 104 | + |
| 105 | + private bool IsValidEditingSecret(HttpRequest httpRequest) |
| 106 | + { |
| 107 | + if (httpRequest.Query.TryGetValue("secret", out StringValues editingSecretValues)) |
| 108 | + { |
| 109 | + string editingSecret = editingSecretValues.FirstOrDefault() ?? string.Empty; |
| 110 | + if (editingSecret == options.EditingSecret) |
| 111 | + { |
| 112 | + return true; |
| 113 | + } |
90 | 114 | } |
91 | 115 |
|
92 | 116 | return false; |
|
0 commit comments