public ActionResult UpdatePassword(UpdatePasswordVM form) { ActionResult response = new ViewResult(); if (ModelState.IsValid) { UserPO user = Mapper.Mapper.UserDOtoPO(_UserDAO.ViewByUserName(Session["UserName"].ToString())); byte[] oldPassword = Hashing.GenerateSHA256Hash(form.OldPassword, user.Salt); bool passwordsMatch = Hashing.CompareByteArray(oldPassword, user.Password); if (passwordsMatch) { if (form.NewPassword == form.PasswordConfirmation) { user.Salt = Hashing.CreateSalt(10); user.Password = Hashing.GenerateSHA256Hash(form.NewPassword, user.Salt); } try { UserDO userDO = Mapper.Mapper.UserPOtoDO(user); _UserDAO.UpdateUser(userDO); response = RedirectToAction("AccountView", "Account"); } catch (SqlException sqlEx) { if (sqlEx.Data.Contains("Logged")) { if ((bool)sqlEx.Data["Logged"] == false) { Logger.LogSqlException(sqlEx); } } response = View(form); } catch (Exception ex) { if (!ex.Data.Contains("Logged") || (bool)ex.Data["Logged"] == false) { Logger.LogException(ex); } response = View(form); } } } else { ModelState.AddModelError("PasswordConfirmation", "Invalid entry. Please check your entries and try again."); return(View(form)); } return(response); }
public ActionResult Login(Login form) { ActionResult response; //checks to see if username and password were properly filled out if (ModelState.IsValid) { //try to connect to the db and aquire user information, based on username entered try { UserPO user = Mapper.Mapper.UserDOtoPO(_UserDAO.ViewByUserName(form.UserName)); //if user marked banned or inactive, returns view, passing back the form and error message //if user id = 0, user does not exist. returns to view, passing back the form and error message if (user.UserID != 0) { byte[] tempHash = Hashing.GenerateSHA256Hash(form.Password, user.Salt); bool passwordsMatch = Hashing.CompareByteArray(user.Password, tempHash); //ToDo: unhash password //tests if users stored password matches the one entered. if false, returns to view passing back the form and error message if (passwordsMatch) { if (!user.Banned && !user.Inactive) { //setting all Session information required. Session["UserName"] = user.UserName; Session["Role"] = user.Role; Session["RoleName"] = user.RoleName; Session["FirstName"] = user.FirstName; Session["LastName"] = user.LastName; Session["Banned"] = user.Banned; //redirecting to home page response = RedirectToAction("Index", "Home"); } else { //Provides an error message, informing the user the account they attempted to access is banned string errorMessage = "User: "******" has been banned, or marked inactive!"; ModelState.AddModelError("Password", errorMessage); response = View(form); } } else { //providing an error message if username or password is incorrect and returning to view ModelState.AddModelError("Password", "Username or password was incorrect"); response = View(form); } } else { //providing an error message if username or password is incorrect and returning to view ModelState.AddModelError("Password", "Username or Password was incorrect"); response = View(form); } } //catch and log sqlExceptions encountered catch (SqlException sqlEx) { if (!((bool)sqlEx.Data["Logged"] == true) || !sqlEx.Data.Contains("Logged")) { Logger.LogSqlException(sqlEx); } response = View(form); } catch (Exception ex) { if (!ex.Data.Contains("Logged") || (bool)ex.Data["Logged"] == false) { Logger.LogException(ex); } response = View(form); } } else { //returning to view if modelstate invalid ModelState.AddModelError("Password", "Username or Password is incorrect!"); response = View(form); } return(response); }