void OnSaveForm(AjaxFormSubmittedValues form)
{
switch (form.FormName)
{
case "UserEditForm":
if (!WebSecurity.CurrentUser.VerifyPermission(SecurityProvider.PermissionTypeCodes.UserAdministrator))
{
return;
}
AjaxFormSubmittedValues.Block block = form.Blocks["MainUserFields"];
string pw = block.Fields["Password"].Value;
bool enabled = block.Fields["Enabled"].Value == "True";
if (pw.Length == 0)
{
pw = null;
}
SecurityProvider.User user;
if (form.RecordID == null)
{
user = new SecurityProvider.User(
WebsiteClient.ClientID,
block.Fields["Username"].Value,
pw,
block.Fields["FirstName"].Value,
block.Fields["Surname"].Value,
block.Fields["Email"].Value,
enabled,
false, false);
user.Save();
if (OnUserSaved != null)
{
OnUserSaved(form, user);
}
form.RecordID = user.UserID;
}
else
{
user = SecurityProvider.User.Load(form.RecordID.Value);
if (!CurrentUser.CanModifyUser(user))
{
throw new AjaxException("You don't have access to modify that user.");
}
user.Username = block.Fields["Username"].Value;
if (pw != null)
{
user.Password = pw;
}
user.FirstName = block.Fields["FirstName"].Value;
user.Surname = block.Fields["Surname"].Value;
user.Email = block.Fields["Email"].Value;
user.Enabled = enabled;
user.Save();
if (OnUserSaved != null)
{
OnUserSaved(form, user);
}
if (user.Locked)
{
return; // don't muck with permissions/roles
}
}
StringBuilder sql = new StringBuilder();
if (user.Username != CurrentUser.Username) // users can't alter their own permissions
{
if (form.Blocks.ContainsKey("Roles"))
{
foreach (KeyValuePair <string, AjaxFormSubmittedValues.Field> kvp in form.Blocks["Roles"].Fields)
{
if (WebSecurity.CurrentUser.HasRole(kvp.Value.Name)) //make sure the logged in user has the right to assign this role
{
if (kvp.Value.Value == "True")
{
sql.AppendFormat("exec AssignUserToRole '{0}', '{1}'\r\n", user.UserID, kvp.Value.Name.Replace("'", "''"));
}
}
}
}
if (form.Blocks.ContainsKey("Permissions"))
{
foreach (KeyValuePair <string, AjaxFormSubmittedValues.Field> kvp in form.Blocks["Permissions"].Fields)
{
if (WebSecurity.CurrentUser.HasRole(kvp.Value.Name)) //make sure the logged in user has the right to assign this role
{
if (kvp.Value.Value == "True")
{
sql.AppendFormat("exec AssignPermission '{0}', null, '{1}'\r\n", kvp.Value.Name.Replace("'", "''"), user.UserID);
}
}
}
}
if (sql.Length == 0)
{
return;
}
user.RevokeRolesAndPermissions(); // revoke any pre-existing permissions/roles before we assign the new ones
Database.Main.CreateCommand(sql.ToString(), CommandType.Text).ExecuteNonQuery();
}
break;
case "RoleEditForm":
if (!WebSecurity.CurrentUser.VerifyPermission(SecurityProvider.PermissionTypeCodes.UserAdministrator))
{
return;
}
block = form.Blocks["RoleDetails"];
string name = block.Fields["Name"].Value;
enabled = block.Fields["Enabled"].Value == "True";
SecurityProvider.Role role;
if (form.RecordID == null)
{
role = new SecurityProvider.Role();
role.RoleCode = role.RoleID.ToString(); // role codes are only used by system roles
role.ClientID = defaultClient.ClientID;
}
else
{
role = SecurityProvider.Role.Load(form.RecordID.Value);
if (role == null)
{
return;
}
if (role.Locked)
{
return; // locked roles aren't supposed to be edited by users
}
}
role.Name = name;
role.Enabled = enabled;
((SecurityProvider)SystemCore.Instance["SecurityProvider"]).SaveRole(role);
sql = new StringBuilder();
if (form.Blocks.ContainsKey("Roles"))
{
foreach (KeyValuePair <string, AjaxFormSubmittedValues.Field> kvp in form.Blocks["Roles"].Fields)
{
if (WebSecurity.CurrentUser.HasRole(kvp.Value.Name)) //make sure the logged in user has the right to assign this role
{
if (kvp.Value.Value == "True")
{
sql.AppendFormat("exec InheritRoleFrom '{0}', '{1}'\r\n", role.RoleID, kvp.Value.Name.Replace("'", "''"));
}
}
}
}
if (form.Blocks.ContainsKey("Permissions"))
{
foreach (KeyValuePair <string, AjaxFormSubmittedValues.Field> kvp in form.Blocks["Permissions"].Fields)
{
if (WebSecurity.CurrentUser.HasRole(kvp.Value.Name)) //make sure the logged in user has the right to assign this role
{
if (kvp.Value.Value == "True")
{
sql.AppendFormat("exec AssignPermission '{0}', null, '{1}'\r\n", kvp.Value.Name.Replace("'", "''"), role.RoleID);
}
}
}
}
role.RevokeRolesAndPermissions(); // revoke any pre-existing permissions/roles before we assign the new ones
if (sql.Length == 0)
{
return;
}
Database.Main.CreateCommand(sql.ToString(), CommandType.Text).ExecuteNonQuery();
break;
}
}
public SecurityProvider.User SaveStandardUserFormDetails(AjaxFormSubmittedValues form, string blockName, bool?enabled)
{
AjaxFormSubmittedValues.Block block = form.Blocks[blockName];
string pw;
if (block.Fields.ContainsKey("Password1"))
{
pw = block.Fields["Password1"].Value;
}
else
{
pw = block.Fields["Password"].Value;
}
if (pw.Length == 0)
{
pw = null;
}
SecurityProvider.User user;
if (form.RecordID == null)
{
user = new SecurityProvider.User(
WebsiteClient.ClientID,
block.Fields["Username"].Value,
pw,
block.Fields["FirstName"].Value,
block.Fields["Surname"].Value,
block.Fields["Email"].Value,
enabled == null ? (block.Fields["Enabled"].Value == "True") : enabled.Value,
false, false);
if (OnBeforeSaveUser != null)
{
OnBeforeSaveUser(form, user);
}
user.Save();
form.RecordID = user.UserID;
}
else
{
Guid myuserid = CurrentUser.UserID;
// string myoldusername = CurrentUser.Username;
user = SecurityProvider.User.Load(form.RecordID.Value);
// user.Username = block.Fields["Username"].Value;
if (pw != null)
{
user.Password = pw;
}
user.FirstName = block.Fields["FirstName"].Value;
user.Surname = block.Fields["Surname"].Value;
user.Email = block.Fields["Email"].Value;
user.Enabled = enabled == null ? (block.Fields["Enabled"].Value == "True") : enabled.Value;
if (OnBeforeSaveUser != null)
{
OnBeforeSaveUser(form, user);
}
user.Save();
/* we're not going to allow the user to change their username, so this code is commented out
* if (myuserid == user.UserID && (pw != null || user.Username != myoldusername)) // changing username or password causes login cookie to become invalid
* WebAuthentication.Instance.WriteAuthenticationCookie(
* user.Username,
* pw != null ? Crypto.EncryptOneWay(pw) : user.PasswordHash,
* WebAuthentication.Instance.StoreAjaxAuthKey(user.Username),
* 1440); */
}
return(user);
}
