RE1-T46 Flagged report, select unit and report bug fix.

[ucswift]

No description provided.

[request-info]

Thanks for opening this, but we'd appreciate a little more information. Could you update it with more details?

In general, POST actions in ASP.NET Core MVC that modify server-side state and are invoked from a form should validate an anti-forgery token. This is normally done by decorating the action (or controller, or via a global filter) with [ValidateAntiForgeryToken] and ensuring the form includes an anti-forgery token via @Html.AntiForgeryToken() or <form asp-antiforgery="true">.

For this specific issue, the minimal, behavior-preserving fix is to decorate the POST FlagCallImage action with [ValidateAntiForgeryToken] while leaving the GET action unchanged. This leverages the built-in ASP.NET Core anti-forgery system and does not alter the business logic of flagging/unflagging call images. The required attribute type (ValidateAntiForgeryTokenAttribute) is provided by Microsoft.AspNetCore.Mvc, which is already imported at the top of the file (using Microsoft.AspNetCore.Mvc;), so no new imports are needed.

Concretely:

• Edit Web/Resgrid.Web/Areas/User/Controllers/DispatchController.cs.

• Locate the POST action:

  [HttpPost]
  [Authorize(Policy = ResgridResources.Call_Update)]
  public async Task<IActionResult> FlagCallImage(FlagCallImageView model, CancellationToken cancellationToken)

• Insert [ValidateAntiForgeryToken] between the existing attributes and the method declaration:

  [HttpPost]
  [Authorize(Policy = ResgridResources.Call_Update)]
  [ValidateAntiForgeryToken]
  public async Task<IActionResult> FlagCallImage(FlagCallImageView model, CancellationToken cancellationToken)

No helper methods or additional definitions are required, assuming the associated Razor view already emits the anti-forgery token in its form; if it doesn’t, the runtime will produce a validation error, prompting the view to be updated accordingly.

To fix the problem in general, every state-changing HTTP POST (and other unsafe verbs like PUT/DELETE when used) in an ASP.NET Core MVC application should validate an anti-forgery token. This is typically done with the [ValidateAntiForgeryToken] attribute on the action (or controller) and emitting the token in the corresponding form using @Html.AntiForgeryToken() in the view. Alternatively, a global filter enforcing anti-forgery on all POST actions can be used, but that is outside the snippet we can modify.

For this specific method, the minimal, non-breaking fix is to add the [ValidateAntiForgeryToken] attribute to the POST FlagCallFile action so that any POST to this endpoint must include a valid anti-forgery token. The GET FlagCallFile (which renders the form) does not need this attribute; instead, its view should already be including @Html.AntiForgeryToken() (outside the scope of our changes). We do not need any new imports because the file already uses Microsoft.AspNetCore.Mvc, which defines ValidateAntiForgeryTokenAttribute. Concretely, in Web/Resgrid.Web/Areas/User/Controllers/DispatchController.cs, just above the [HttpPost] FlagCallFile method at line 1486–1488, add [ValidateAntiForgeryToken], keeping all other logic and attributes intact.

In general, to fix missing CSRF validation on ASP.NET Core MVC POST actions, you add the [ValidateAntiForgeryToken] (or [AutoValidateAntiforgeryToken] globally) attribute so the framework validates the anti-forgery token sent with the form. The corresponding view must also emit the token (via @Html.AntiForgeryToken() or the form tag helper). This ensures that only requests originating from your site, not forged cross-site requests, are accepted.

For this specific issue, the best targeted fix is to decorate the POST overload of FlaggedCallNotesReportParams with [ValidateAntiForgeryToken]. This does not change existing logic: it simply adds a precondition that the anti-forgery token is present and valid. ASP.NET Core MVC already provides ValidateAntiForgeryToken in Microsoft.AspNetCore.Mvc, which is already imported at the top of ReportsController.cs, so no new using directives or packages are required. Concretely, in Web/Resgrid.Web/Areas/User/Controllers/ReportsController.cs, at lines 535–539, insert [ValidateAntiForgeryToken] between [HttpPost] and [Authorize(...)] or adjacent to them. No other code changes are necessary within the shown snippet.

[ucswift]

Approve

[github-actions]

This PR is approved.