public async Task <ApiServiceResponse <UserProfileFullModel> > UpdateUserInformation([FromBody] UserUpdatePartialModel user)
{
//TODO: HARDEN NON-PROFILETEXT
var userClaimId = (await manager.FindByNameAsync(User.Identity.Name)).Id;
var attemptingUser = db.Users.FirstOrDefault(u => u.UserID.Equals(userClaimId));
if (attemptingUser.Id != user.ID && !(await manager.IsInRoleAsync(userClaimId, "ADMIN")))
{
//this user is attempting to edit another user, and is not an authorized administrator
//log the occurence
MasterLogger.LogIssue("Illegal user profile update. Attempter: " + attemptingUser.Id + "/" + attemptingUser.UserHandle +
" Profile Attempted: " + user.ID, typeof(UserApiController).Name, DateTime.Now, LogSeverity.SECURITYWARNING);
//fail silently
return(new ApiServiceResponse <UserProfileFullModel>
{
ResponseCode = ApiServiceResponseCode.FAILURE,
ResponseObject = null,
Message = "ILLEGAL ACTION DETECTED"
});
}
//update user
var oldUser = db.Users.Find(user.ID);
if (oldUser == null)
{
string message = "Failed to retrieve user with id:" + oldUser.Id;
MasterLogger.LogIssue(message, typeof(UserApiController).Name, DateTime.Now, LogSeverity.ISSUE);
return(new ApiServiceResponse <UserProfileFullModel>
{
ResponseCode = ApiServiceResponseCode.FAILURE,
ResponseObject = null,
Message = message
});
}
//update user values
oldUser.ProfileText = user.ProfileText;
oldUser.UserHandle = user.UserHandle;
db.SaveChanges();
var usermodel = new UserProfileFullModel
{
ID = oldUser.Id,
ProfileText = oldUser.ProfileText,
VaporAmount = oldUser.VaporAmount,
AetherAmount = oldUser.AetherAmount,
UserHandle = oldUser.UserHandle,
Avatar = oldUser.Avatar
};
return(new ApiServiceResponse <UserProfileFullModel>
{
ResponseCode = ApiServiceResponseCode.SUCCESS,
ResponseObject = usermodel,
Message = null
});
}
public async Task <ActionResult> UserPage(string id)
{
//if the user is the owner of this id (current user id == id), then
//they can edit the page using AJAX
var user = await manager.FindByIdAsync(User.Identity.GetUserId());
var userobj = db.Users.FirstOrDefault(u => u.UserID.Equals(user.Id));
ViewBag.AbleToEditPage = (userobj.UserID == User.Identity.GetUserId());
var usermodel = new UserProfileFullModel
{
ID = userobj.Id,
ProfileText = userobj.ProfileText,
VaporAmount = userobj.VaporAmount,
AetherAmount = userobj.AetherAmount,
UserHandle = userobj.UserHandle,
Avatar = userobj.Avatar
};
return(View(usermodel));
}
