public BaseResponseModel Delete(int id)
{
var vm = new BaseResponseModel();
// Get existing user
var user = UserService.GetUserById(id);
if (user == null)
{
throw new HttpException(404, "User not found.");
}
// Check permissions
if (!CurrentUser.HasPermission(Permission.EditUsers))
{
throw new HttpException(401, "You do not have permissions to complete this action.");
}
UserService.DeleteUser(user);
LogService.CreateLog(new Log
{
Category = LogCategory.Application,
IpAddress = GetClientIp(ControllerContext.Request),
User = CurrentUser,
Level = LogLevel.Info,
Message = "User " + user.Email + " (ID #" + user.Id + ") was deleted."
});
return new BaseResponseModel
{
Success = true
};
}
public BaseResponseModel ForgotPassword(ForgotPasswordInputModel inputModel)
{
// Get existing user
var vm = new BaseResponseModel();
var user = UserService.GetUserByEmail(inputModel.Email);
if (user != null)
{
UserService.GenerateResetRequest(user);
vm.Success = true;
}
return vm;
}
public BaseResponseModel Update(UpdateUserInputModel inputModel)
{
var vm = new BaseResponseModel();
// Validate request
var validationState = new ValidationDictionary();
inputModel.ValidateRequest(validationState);
// Get existing user
var user = UserService.GetUserById(inputModel.UserId);
if (user == null)
{
throw new HttpException(404, "User not found.");
}
// Do not allow editing of users other than yourself if you
// don't have permissions
if (!CurrentUser.HasPermission(Permission.EditUsers)
&& user.Id != CurrentUser.Id)
{
throw new HttpException(401, "You do not have permissions to complete this action.");
}
// Copy properties
bool emailChanged = user.Email != inputModel.Email;
user.Email = inputModel.Email;
string newPass = String.IsNullOrWhiteSpace(inputModel.Password)
? null : inputModel.Password;
// Additional properties for admin users
if (CurrentUser.HasPermission(Permission.EditUsers))
{
if (inputModel.Role.HasValue) user.Role = inputModel.Role.Value;
}
if (UserService.ValidateUser(user, validationState))
{
UserService.UpdateUser(user, newPass);
if (emailChanged)
{
ReAuthorizeUser(inputModel.Email);
}
LogService.CreateLog(new Log
{
Category = LogCategory.Application,
IpAddress = GetClientIp(ControllerContext.Request),
Level = LogLevel.Info,
Message = "User " + inputModel.Email + " (ID #" + user.Id + ") was updated.",
User = CurrentUser
});
vm.Success = true;
}
vm.Errors = validationState.Errors;
return vm;
}
public BaseResponseModel SignOut()
{
_auth.SignOut();
// @todo - API is not stateless.
// The below implementation prevents the API from being
// stateless. A better implementation would be OAuth or some other
// kerberos/token method, however for the time being...
// clear authentication cookie
var authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, "");
authCookie.Expires = DateTime.Now.AddYears(-1);
HttpContext.Current.Response.Cookies.Add(authCookie);
// clear session cookie
var sessionCookie = new HttpCookie("ASP.NET_SessionId", "");
sessionCookie.Expires = DateTime.Now.AddYears(-1);
HttpContext.Current.Response.Cookies.Add(sessionCookie);
var vm = new BaseResponseModel
{
Success = true
};
return vm;
}
public BaseResponseModel ResetPassword(ResetPasswordInputModel inputModel)
{
// Get existing user
var vm = new BaseResponseModel();
var validationState = new ValidationDictionary();
inputModel.ValidateRequest(validationState);
if (validationState.IsValid)
{
var user = UserService.GetUserByResetToken(inputModel.ResetToken);
if (user != null)
{
UserService.ResetPassword(user, inputModel.Password);
vm.Success = true;
}
else
{
validationState.AddError("ResetToken", "Invalid reset token.");
}
}
vm.Errors = validationState.Errors;
return vm;
}
public BaseResponseModel Update(UpdateResourceInputModel inputModel)
{
var vm = new BaseResponseModel();
// Validate request
var validationState = new ValidationDictionary();
// Get existing resource
var resource = _resourceService.GetResourceById(inputModel.ResourceId);
if (resource == null)
{
throw new HttpException(404, "Resource not found.");
}
// Do not allow editing of resources other than yourself if you
// don't have permissions
if (!CurrentUser.HasPermission(Permission.EditResources))
{
throw new HttpException(401, "You do not have permissions to complete this action.");
}
// Copy properties
resource.Value = inputModel.Value;
if (_resourceService.ValidateResource(resource, validationState))
{
_resourceService.UpdateResource(resource);
LogService.CreateLog(new Log
{
Category = LogCategory.Application,
IpAddress = GetClientIp(ControllerContext.Request),
Level = LogLevel.Info,
Message = "Resource " + resource.Name + " (ID #" + resource.Id + ") was updated.",
User = CurrentUser
});
vm.Success = true;
}
vm.Errors = validationState.Errors;
return vm;
}