Rank 1
Can anyone advise on how to make use of MVC AntiForgeryToken when using the Telerik Grids delete command?
We have managed to implement this using the edit command by pinning an extra column to the grid which contains an anti forgery token for each row. This works fine because the whole row is sent back when the update button is clicked (using inline edit mode) and anti forgery token is picked up.
The problem with the delete command is that only the Id of the current row is sent back and so the anti forgery token is lost.
We tried simply adding one anti forgery token to a form on the page but this did not work. This was due to the telerik grid creating a form for each row in the grid (this is why we put an extra AntiForgeryColumn).
Any help with this would be appreciated.
6 Answers, 1 is accepted
The only way to do this for the delete command is to modify the source code of the grid. Check the GridDeleteActionCommand.cs file and the BoundModeHtml<T> method.
Regards,
Atanas Korchev
the Telerik team
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items.
Rank 1
Rank 1
Using some stuff I figured out while trying to get this working with jQueryGrid, and some other posts on here, I was able to get delete functionality working with the Telerik Grid and the Anti Forgery Token (ValidateAntiForgeryToken) while not make any code changes.
First you need to emit the token as usual in your view, <%=Html.AntiForgeryToken() %> and add the ValidateAntiForgeryToken to your Delete action in your controller method. You action should also have the HttpPost and the GridAction attributes (mine has a custom transaction attribute for dataaccess, and another custom attribute for security).
Next you will need to include the following java script somewhere in your page. I created a SiteMaster.js file which I then register using the Telerik script manager.
(function ($) {
$.getAntiForgeryToken = function () {
var tokenName = "__RequestVerificationToken";
// Finds the <input type="hidden" name={tokenName} value="..." /> from the specified.
var inputElements = document.getElementsByTagName("input");
for (var i = 0; i < inputElements.length; i++) {
var inputElement = inputElements[i];
if (inputElement.type === "hidden" && inputElement.name === tokenName) {
return {
name: tokenName,
value: inputElement.value
};
}
}
};
$.deleteFromGrid = function (gridId, deleteUrl, deleteMessage) {
var shouldDelete = confirm(deleteMessage);
if (shouldDelete == false)
return false;
$.post(deleteUrl,
{ __RequestVerificationToken: $.getAntiForgeryToken().value },
function (data) {
$(gridId).data('tGrid').ajaxRequest();
});
};
})(jQuery);
To invoke the javascript, I bind to a property in my view model that emits the following.
<a title="Delete User" class="notext cross" onclick="$.deleteFromGrid('#Users', 'Controller/Delete/411', 'Are you sure you want to delete user hcw11?'); return false;" href="https://server/virutalDirectory/Controller#">
This creates a link with a css class that presents a red X. Clicking on the X invokes the javascript onClick event, which does a jQuery post to my Delete action with the propery request validation token, and then refreshes the grid maintaining the correct sorting and current page. I have not tested it with grouping or filtering, since i'm using Linq to NHibernate and I understand there are some issues with that scenario, but the nice ajax delete with the anti forgery was more important right now.
Rank 1
Any chance you can show us an example of how to do this? I looked at the file but not sure what to do with it or how to effect the change and use it in our project. We need it for both Select and Delete which are Ajax calls.
Thanks.
This forum thread is related to the subject.
Best wishes,Atanas Korchev
the Telerik team
Rank 1
Regards,
John DeVight