Merge pull request #7142 from NuGet/ryuyu-allow-anglebracketownerrequest

Allow HTML in owner request messages.

Author: ryuyu

src/NuGetGallery/Controllers/JsonApiController.cs

@@ -103,8 +103,12 @@ public virtual ActionResult GetPackageOwners(string id)
 
         [HttpPost]
         [ValidateAntiForgeryToken]
-        public async Task<JsonResult> AddPackageOwner(string id, string username, string message)
+        public async Task<JsonResult> AddPackageOwner(AddPackageOwnerViewModel addOwnerData)
         {
+            string id = addOwnerData.Id;
+            string username = addOwnerData.Username;
+            string message = addOwnerData.Message;
+
             if (Regex.IsMatch(username, GalleryConstants.EmailValidationRegex, RegexOptions.None, GalleryConstants.EmailValidationRegexTimeout))
             {
                 return Json(new { success = false, message = Strings.AddOwner_NameIsEmail }, JsonRequestBehavior.AllowGet);

src/NuGetGallery/NuGetGallery.csproj

@@ -752,6 +752,7 @@
     <Compile Include="Telemetry\UserPackageDeleteOutcome.cs" />
     <Compile Include="UrlHelperExtensions.cs" />
     <Compile Include="ViewModels\AddOrganizationViewModel.cs" />
+    <Compile Include="ViewModels\AddPackageOwnerViewModel.cs" />
     <Compile Include="ViewModels\CompositeLicenseExpressionSegmentViewModel.cs" />
     <Compile Include="ViewModels\DeleteOrganizationViewModel.cs" />
     <Compile Include="ViewModels\DeleteUserViewModel.cs" />

src/NuGetGallery/ViewModels/AddPackageOwnerViewModel.cs

@@ -0,0 +1,16 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System.Web.Mvc;
+
+namespace NuGetGallery
+{
+    public class AddPackageOwnerViewModel
+    {
+        public string Id { get; set; }
+        public string Username { get; set; }
+
+        [AllowHtml]
+        public string Message { get; set; }
+    }
+}

tests/NuGetGallery.Facts/Controllers/JsonApiControllerFacts.cs

@@ -355,9 +355,15 @@ public async Task FailsIfUserInputIsEmailAddress(Func<Fakes, User> getCurrentUse
                             var package = fakes.Package;
                             var controller = GetController<JsonApiController>();
                             controller.SetCurrentUser(currentUser);
+                            AddPackageOwnerViewModel testData = new AddPackageOwnerViewModel
+                            {
+                                Id = package.Id,
+                                Username = usernameToAdd,
+                                Message = "a message"
+                            };
 
                             // Act
-                            var result = await controller.AddPackageOwner(package.Id, usernameToAdd, "a message");
+                            var result = await controller.AddPackageOwner(testData);
                             dynamic data = result.Data;
 
                             // Assert
@@ -444,8 +450,15 @@ public async Task CreatesPackageOwnerRequestSendsEmailAndReturnsPendingState(Fun
                                         .Verifiable();
                                 }
                             }
+                            AddPackageOwnerViewModel testData = new AddPackageOwnerViewModel
+                            {
+                                Id = fakes.Package.Id,
+                                Username = userToAdd.Username,
+                                Message = "Hello World! Html Encoded <3"
+                            };
 
-                            JsonResult result = await controller.AddPackageOwner(fakes.Package.Id, userToAdd.Username, "Hello World! Html Encoded <3");
+
+                            JsonResult result = await controller.AddPackageOwner(testData);
                             dynamic data = result.Data;
                             PackageOwnersResultViewModel model = data.model;
 
@@ -679,7 +692,14 @@ public async Task RemovesExistingOwner(Func<Fakes, User> getCurrentUser, Func<Fa
 
                 private static async Task<ActionResult> AddPackageOwner(JsonApiController jsonApiController, string packageId, string username)
                 {
-                    return await jsonApiController.AddPackageOwner(packageId, username, "message");
+                    AddPackageOwnerViewModel testData = new AddPackageOwnerViewModel
+                    {
+                        Id = packageId,
+                        Username = username,
+                        Message = "message"
+                    };
+
+                    return await jsonApiController.AddPackageOwner(testData);
                 }
 
                 private static async Task<ActionResult> RemovePackageOwner(JsonApiController jsonApiController, string packageId, string username)