public void FillStandardUserFormBlock(AjaxFormFieldBlock block, User user, bool plainTextPassword, bool multilingual, bool requireFullName, bool allowUsernameEditing)
{
bool newUser = user == null;
string labelUsername = multilingual ? "{?form-label-username?}" : "Username";
string labelPassword = multilingual ? "{?form-label-password?}" : "Password";
string labelFirstName = multilingual ? "{?form-label-firstname?}" : "FirstName";
string labelSurname = multilingual ? "{?form-label-surname?}" : "Surname";
string labelEmail = multilingual ? "{?form-label-email?}" : "Email";
string errNoUsername = multilingual ? "{?form-error-require-username?}" : "Please enter a username";
string errNoFirstName = multilingual ? "{?form-error-require-firstname?}" : "Please enter your first name";
string errNoSurname = multilingual ? "{?form-error-require-surname?}" : "Please enter your surname";
string errNoEmail = multilingual ? "{?form-error-require-email?}" : "Please enter your email address";
string errNoPassword = multilingual ? "{?form-error-require-password?}" : "Please enter your email password";
string fErr = "function(value){{if(value.length==0) return '{0}'; return null;}}";
string pErr = !newUser ? null : string.Format(fErr, errNoPassword);
string fnErr = !requireFullName ? null : string.Format(fErr, errNoFirstName);
string snErr = !requireFullName ? null : string.Format(fErr, errNoSurname);
if (newUser) user = new User();
bool locked = user.Locked;
if(allowUsernameEditing)
block.Add(new AjaxFormInputField(labelUsername, "Username", 50, locked, null, "width:150px;", user.Username, null, string.Format(fErr, errNoUsername), true, 0));
if (plainTextPassword)
block.Add(new AjaxFormInputField(labelPassword, "Password", 50, false, null, "width:150px;", null, null, pErr, true, ObjectRank.Early));
else
block.Add(new AjaxFormPasswordField(labelPassword, 50, null, "width:73px", ObjectRank.Early, multilingual, newUser, !newUser));
block.Add(new AjaxFormInputField(labelFirstName, "FirstName", 50, false, null, "width:150px;", user.FirstName, null, fnErr, true, ObjectRank.Normal));
block.Add(new AjaxFormInputField(labelSurname, "Surname", 50, false, null, "width:150px;", user.Surname, null, snErr, true, ObjectRank.Normal));
block.Add(new AjaxFormInputField(labelEmail, "Email", 100, false, null, "width:150px;", user.Email, null, string.Format(fErr, errNoEmail), true, ObjectRank.Normal));
}
public Result DeleteUser(User user)
{
if (OnBeforeUserDeleted != null)
{
StateChangingEventArgs args = new StateChangingEventArgs();
OnBeforeUserDeleted(user, args);
if (args.CancelStateChange)
return new Result(args.ReasonForCancellation);
}
IDbCommand cmd = Database.Main.CreateCommand("DeleteUser", CommandType.StoredProcedure);
Database.Main.AddParameter(cmd, "@UserID", user.UserID);
Database.Main.AddParameter(cmd, "@DeletePermanently", true);
cmd.ExecuteNonQuery();
if (OnUserDeleted != null)
OnUserDeleted(user);
return new Result();
}
public User SaveStandardUserFormDetails(AjaxFormSubmittedValues form, string blockName, bool? enabled)
{
AjaxFormSubmittedValues.Block block = form.Blocks[blockName];
string pw;
if (block.Fields.ContainsKey("Password1"))
pw = block.Fields["Password1"].Value;
else
pw = block.Fields["Password"].Value;
if (pw.Length == 0) pw = null;
User user;
if (form.RecordID == null)
{
user = new User(
SecurityProvider.ClientSpaceID,
block.Fields["Username"].Value,
pw,
block.Fields["FirstName"].Value,
block.Fields["Surname"].Value,
block.Fields["Email"].Value,
enabled == null ? (block.Fields["Enabled"].Value == "True") : enabled.Value,
false, false, 0);
if (OnBeforeSaveUser != null)
OnBeforeSaveUser(form, user);
SecurityProvider.DataLayer.Store(user);
form.RecordID = user.UserID;
}
else
{
long myuserid = SecurityProvider.CurrentUser.UserID;
// string myoldusername = CurrentUser.Username;
user = User.Select(form.RecordID.Value);
// user.Username = block.Fields["Username"].Value;
if (pw != null) user.Password = pw;
user.FirstName = block.Fields["FirstName"].Value;
user.Surname = block.Fields["Surname"].Value;
user.Email = block.Fields["Email"].Value;
user.Enabled = enabled == null ? (block.Fields["Enabled"].Value == "True") : enabled.Value;
if (OnBeforeSaveUser != null)
OnBeforeSaveUser(form, user);
SecurityProvider.DataLayer.Store(user);
/* we're not going to allow the user to change their username, so this code is commented out
if (myuserid == user.UserID && (pw != null || user.Username != myoldusername)) // changing username or password causes login cookie to become invalid
WebAuthentication.Instance.WriteAuthenticationCookie(
user.Username,
pw != null ? Crypto.EncryptOneWay(pw) : user.PasswordHash,
WebAuthentication.Instance.StoreAjaxAuthKey(user.Username),
1440); */
}
return user;
}
void OnSaveForm(AjaxFormSubmittedValues form)
{
List<string> roleCodes = new List<string>(), permissionTypeCodes = new List<string>();
switch (form.FormName)
{
case "UserEditForm":
if (!WebAuthentication.VerifyAccess(PermissionType.UserAdministrator))
return;
AjaxFormSubmittedValues.Block block = form.Blocks["MainUserFields"];
string pw = block.Fields["Password"].Value;
bool enabled = block.Fields["Enabled"].Value == "True";
if (pw.Length == 0) pw = null;
User user;
if (form.RecordID == null)
{
user = new User(
SecurityProvider.ClientSpaceID,
block.Fields["Username"].Value,
pw,
block.Fields["FirstName"].Value,
block.Fields["Surname"].Value,
block.Fields["Email"].Value,
enabled, false, false, 0);
Result result = SecurityProvider.DataLayer.Store(user);
if (!result.Succeeded)
throw new AjaxException(result.Message);
if (OnUserSaved != null)
OnUserSaved(form, user);
form.RecordID = user.UserID;
}
else
{
user = User.Select(form.RecordID.Value);
//if (!CurrentUser.CanModifyUser(user))
// throw new AjaxException("You don't have access to modify that user.");
user.Username = block.Fields["Username"].Value;
if (pw != null) user.Password = pw;
user.FirstName = block.Fields["FirstName"].Value;
user.Surname = block.Fields["Surname"].Value;
user.Email = block.Fields["Email"].Value;
user.Enabled = enabled;
SecurityProvider.DataLayer.Store(user);
//user.Save();
if (OnUserSaved != null)
OnUserSaved(form, user);
if (user.Locked) return; // don't muck with permissions/roles
}
if (user.Username != SecurityProvider.CurrentUser.Username) // users can't alter their own permissions
{
if (form.Blocks.ContainsKey("Roles"))
foreach (KeyValuePair<string, AjaxFormSubmittedValues.Field> kvp in form.Blocks["Roles"].Fields)
if (SecurityProvider.CurrentUser.HasRole(kvp.Value.Name)) //make sure the logged in user has the right to assign this role
if (kvp.Value.Value == "True")
roleCodes.Add(kvp.Value.Name);
//sql.AppendFormat("exec AssignUserToRole '{0}', '{1}'\r\n", user.UserID, kvp.Value.Name.Replace("'", "''"));
if (form.Blocks.ContainsKey("Permissions"))
foreach (KeyValuePair<string, AjaxFormSubmittedValues.Field> kvp in form.Blocks["Permissions"].Fields)
if (SecurityProvider.CurrentUser.HasRole(kvp.Value.Name)) //make sure the logged in user has the right to assign this role
if (kvp.Value.Value == "True")
permissionTypeCodes.Add(kvp.Value.Name);
//sql.AppendFormat("exec AssignPermission '{0}', null, '{1}'\r\n", kvp.Value.Name.Replace("'", "''"), user.UserID);
//if (sql.Length == 0) return;
SecurityProvider.DataLayer.SetRolesAndPermissionsForUser(user.UserID, roleCodes, permissionTypeCodes);
//user.RevokeRolesAndPermissions(); // revoke any pre-existing permissions/roles before we assign the new ones
//Database.Main.CreateCommand(sql.ToString(), CommandType.Text).ExecuteNonQuery();
}
break;
case "RoleEditForm":
if (!WebAuthentication.VerifyAccess(PermissionType.RoleAdministrator))
return;
block = form.Blocks["RoleDetails"];
string name = block.Fields["Name"].Value;
enabled = block.Fields["Enabled"].Value == "True";
Role role;
if (form.RecordID == null)
{
role = new Role();
role.RoleID = DatabaseManager.GetUniqueID();
role.RoleCode = role.RoleID.ToString(); // role codes are only used by system roles
role.ClientSpaceID = SecurityProvider.ClientSpaceID;
}
else
{
role = Role.Select(form.RecordID.Value);
if (role == null) return;
if (role.Locked) return; // locked roles aren't supposed to be edited by users
}
role.Name = name;
role.Enabled = enabled;
SecurityProvider.DataLayer.Store(role);
//((SecurityProvider)Core.Instance["SecurityProvider"]).SaveRole(role);
//sql = new StringBuilder();
if (form.Blocks.ContainsKey("Roles"))
foreach (KeyValuePair<string, AjaxFormSubmittedValues.Field> kvp in form.Blocks["Roles"].Fields)
if (SecurityProvider.CurrentUser.HasRole(kvp.Value.Name)) //make sure the logged in user has the right to assign this role
if (kvp.Value.Value == "True")
roleCodes.Add(kvp.Value.Name);
//sql.AppendFormat("exec InheritRoleFrom '{0}', '{1}'\r\n", role.RoleID, kvp.Value.Name.Replace("'", "''"));
if (form.Blocks.ContainsKey("Permissions"))
foreach (KeyValuePair<string, AjaxFormSubmittedValues.Field> kvp in form.Blocks["Permissions"].Fields)
if (SecurityProvider.CurrentUser.HasRole(kvp.Value.Name)) //make sure the logged in user has the right to assign this role
if (kvp.Value.Value == "True")
permissionTypeCodes.Add(kvp.Value.Name);
//sql.AppendFormat("exec AssignPermission '{0}', null, '{1}'\r\n", kvp.Value.Name.Replace("'", "''"), role.RoleID);
SecurityProvider.DataLayer.SetRolesAndPermissionsForRole(role.RoleID, roleCodes, permissionTypeCodes);
//role.RevokeRolesAndPermissions(); // revoke any pre-existing permissions/roles before we assign the new ones
//if (sql.Length == 0) return;
//Database.Main.CreateCommand(sql.ToString(), CommandType.Text).ExecuteNonQuery();
break;
}
}
public bool CanModifyUser(User targetUser)
{
foreach (KeyValuePair<string, Permission> p in targetUser.Permissions)
if (!HasPermission(p.Key))
return false;
foreach (KeyValuePair<string, Permission> r in targetUser.Roles)
if (!HasRole(r.Key))
return false;
return true;
}
public static User LoadByEmail(Guid clientID, string emailAddress)
{
IDbCommand cmd = Database.Main.CreateCommand("ListUsers", CommandType.StoredProcedure);
Database.Main.AddParameter(cmd, "@ClientID", clientID);
Database.Main.AddParameter(cmd, "@Email", emailAddress);
Database.Main.AddParameter(cmd, "@ExactMatches", true);
DataSet ds = Database.Main.GetDataSet(cmd);
if (ds.Tables[0].Rows.Count == 0)
return null;
User user = new User(ds.Tables[0].Rows[0]);
return user;
}
public static User Load(Guid userID)
{
IDbCommand cmd = Database.Main.CreateCommand("ListUsers", CommandType.StoredProcedure);
Database.Main.AddParameter(cmd, "@UserID", userID);
DataSet ds = Database.Main.GetDataSet(cmd);
if (ds.Tables[0].Rows.Count == 0)
return null;
User user = new User(ds.Tables[0].Rows[0]);
return user;
}
public static User[] BasicSearch(string partUsername, string partFirstName, string partSurname, string partEmail, int? maxResults, Guid? editableByUserID, out int totalMatches, bool? activated)
{
if (maxResults == 0) maxResults = null;
if (partUsername == "") partUsername = null;
if (partFirstName == "") partFirstName = null;
if (partSurname == "") partSurname = null;
IDbCommand cmd = Database.Main.CreateCommand("ListUsers", CommandType.StoredProcedure);
Database.Main.AddParameter(cmd, "@Username", partUsername);
Database.Main.AddParameter(cmd, "@FirstName", partFirstName);
Database.Main.AddParameter(cmd, "@Surname", partSurname);
Database.Main.AddParameter(cmd, "@Email", partEmail);
Database.Main.AddParameter(cmd, "@Activated", activated);
Database.Main.AddParameter(cmd, "@EditableByUserID", editableByUserID);
Database.Main.AddParameter(cmd, "@MaxRecords", maxResults);
IDataParameter prm = Database.Main.AddOutputParameter(cmd, "@TotalMatches", DbType.Int32);
DataSet ds = Database.Main.GetDataSet(cmd);
if (prm.Value != DBNull.Value)
totalMatches = (int)prm.Value;
else
totalMatches = ds.Tables[0].Rows.Count;
User[] users = new User[ds.Tables[0].Rows.Count];
for(int i=0; i<ds.Tables[0].Rows.Count; i++)
users[i] = new User(ds.Tables[0].Rows[i]);
return users;
}
public User SelectUser(long userID)
{
using (TransactionScope scope = new TransactionScope(TransactionScopeOption.Suppress))
{
using (SqlConnection conn = new SqlConnection(DatabaseManager.DatabaseEngine.ConnectionString))
{
conn.Open();
SqlCommand cmd = new SqlCommand("SelectUser", conn);
cmd.CommandType = CommandType.StoredProcedure;
cmd.Parameters.Add(new SqlParameter("@UserID", userID));
SqlDataReader reader = cmd.ExecuteReader(CommandBehavior.CloseConnection);
User user;
if (!reader.Read())
user = null;
else
user = new User(reader);
reader.Close();
return user;
}
}
}
public Result Delete(User user)
{
Result result = new Result();
if (OnBeforeDeleteUser != null)
OnBeforeDeleteUser(user, result);
SqlConnection conn = null;
if (result.Succeeded)
{
try
{
using (TransactionScope scope = new TransactionScope())
{
conn = (SqlConnection)DatabaseManager.DatabaseEngine.GetConnection();
try
{
SqlCommand cmd = new SqlCommand("DeleteUser", conn);
cmd.CommandType = CommandType.StoredProcedure;
cmd.Parameters.Add(new SqlParameter("@UserID", user.UserID));
cmd.ExecuteNonQuery();
scope.Complete();
}
catch (Exception ex)
{
return new Result(ex.Message);
}
}
}
finally
{
DatabaseManager.DatabaseEngine.ReleaseConnection(conn);
}
if (OnUserDeleted != null)
OnUserDeleted(user);
}
return result;
}
public Result Store(User user)
{
SqlConnection conn = null;
try
{
using (TransactionScope scope = new TransactionScope())
{
conn = (SqlConnection)DatabaseManager.DatabaseEngine.GetConnection();
try
{
SqlCommand cmd = new SqlCommand("StoreUser", conn);
cmd.CommandType = CommandType.StoredProcedure;
SqlParameter prm = new SqlParameter("@UserID", user.UserID);
prm.Direction = ParameterDirection.InputOutput;
cmd.Parameters.Add(prm);
cmd.Parameters.Add(new SqlParameter("@ClientSpaceID", user.ClientSpaceID));
cmd.Parameters.Add(new SqlParameter("@Username", user.Username));
cmd.Parameters.Add(new SqlParameter("@PasswordHash", user.PasswordHash));
cmd.Parameters.Add(new SqlParameter("@FirstName", user.FirstName));
cmd.Parameters.Add(new SqlParameter("@Surname", user.Surname));
cmd.Parameters.Add(new SqlParameter("@Email", user.Email));
cmd.Parameters.Add(new SqlParameter("@Enabled", user.Enabled));
cmd.Parameters.Add(new SqlParameter("@Hidden", user.Hidden));
cmd.Parameters.Add(new SqlParameter("@Locked", user.Locked));
cmd.Parameters.Add(new SqlParameter("@Deleted", user.Deleted));
cmd.Parameters.Add(new SqlParameter("@Activated", user.Activated));
cmd.Parameters.Add(new SqlParameter("@ActivationReminderSent", user.Activated));
cmd.Parameters.Add(new SqlParameter("@Created", user.Created));
cmd.Parameters.Add(new SqlParameter("@LastAuthenticated", user.LastAuthenticated));
cmd.Parameters.Add(new SqlParameter("@LocalTimeOffsetHours", user.LocalTimeOffsetHours));
for (int i = 0; i < cmd.Parameters.Count; i++)
if (cmd.Parameters[i].Value == null)
cmd.Parameters[i].Value = DBNull.Value;
cmd.ExecuteNonQuery();
user.UserID = (long)prm.Value;
scope.Complete();
}
catch (Exception ex)
{
return new Result(ex.Message);
}
}
}
finally
{
DatabaseManager.DatabaseEngine.ReleaseConnection(conn);
}
return new Result();
}
public Result SaveUser(User user)
{
if (OnBeforeUserSaved != null)
{
StateChangingEventArgs args = new StateChangingEventArgs();
OnBeforeUserSaved(user, args);
if (args.CancelStateChange)
return new Result(args.ReasonForCancellation);
}
IDbCommand cmd = Database.Main.CreateCommand(user.IsNew ? "CreateUser" : "UpdateUser", CommandType.StoredProcedure);
Database.Main.AddParameter(cmd, "@UserID", user.UserID);
Database.Main.AddParameter(cmd, "@ClientID", user.ClientID);
Database.Main.AddParameter(cmd, "@Username", user.Username);
Database.Main.AddParameter(cmd, "@PasswordHash", user.PasswordHash);
Database.Main.AddParameter(cmd, "@FirstName", user.FirstName);
Database.Main.AddParameter(cmd, "@Surname", user.Surname);
Database.Main.AddParameter(cmd, "@Email", user.Email);
Database.Main.AddParameter(cmd, "@Enabled", user.Enabled);
Database.Main.AddParameter(cmd, "@Hidden", user.Hidden);
Database.Main.AddParameter(cmd, "@Locked", user.Locked);
cmd.ExecuteNonQuery();
bool isNew = user.IsNew;
user.SetSaved();
if (OnUserSaved != null)
OnUserSaved(user, isNew);
return new Result();
}