public void btnSave_Click(object sender, System.EventArgs e)
{
// decide what We are updating, its ok to update email everytime, but the password and security answer may not have changed.
// validation for password match
if (txtPassword.Text != txtPasswordConfirm.Text)
{
ui.RaiseError(Page, "Passwords do not match", true, "");
return;
}
sSQL = "update users set email = '" + txtEmail.Text.Replace("'", "''") + "'";
string sPasswordFiller = "($%#d@x!&";
if (lblAuthenticationType.Text == "local")
{
//-------------------------------------------------------------------------------------------------------
// these settings are only applicable if the user is local
//only update password if it has been changed.
sSQL += ",security_question = '" + dc.EnCrypt(txtSecurityQuestion.Text.Replace("'", "''")) + "'";
if (txtPassword.Text != sPasswordFiller)
{
// bugzilla 1347
// check the user password history setting, and make sure the password was not used in the past x passwords
if (dc.PasswordInHistory(dc.EnCrypt(txtPassword.Text), ui.GetSessionUserID(), ref sErr))
{
ui.RaiseError(Page, "Passwords can not be reused, choose another password", true, "");
return;
}
;
if (sErr != "")
{
ui.RaiseError(Page, sErr, true, "");
return;
}
;
// make sure the password is valid
if (!dc.PasswordIsComplex(txtPassword.Text, ref sErr))
{
ui.RaiseError(Page, sErr, true, "");
return;
}
sSQL += ",user_password='******'";
}
// only update the security answer if it has changed
if (txtSecurityAnswer.Text != hidSecurityAnswer.Value)
{
sSQL += ",security_answer='" + dc.EnCrypt(txtSecurityAnswer.Text) + "'";
}
//-------------------------------------------------------------------------------------------------------
}
sSQL += " where user_id = '" + ui.GetSessionUserID() + "'";
try
{
if (!dc.sqlExecuteUpdate(sSQL, ref sErr))
{
ui.RaiseError(Page, "Update failed: " + sErr, true, "");
}
//logging, what else should we log? I guess the fact that the user changed the password would be enough?
ui.WriteObjectChangeLog(acObjectTypes.User, "User Preferences", "Email", hidEmail.Value, txtEmail.Text);
// what else should we log? I guess the fact that the user changed the password would be enough?
if (txtPassword.Text != sPasswordFiller)
{
ui.WriteObjectChangeLog(acObjectTypes.User, ui.GetSessionUserID(), "Password", "User updated password via User Preferences");
// add the password update to the history
sSQL = "insert user_password_history (user_id, change_time,password) values ('" + ui.GetSessionUserID() + "',now(),'" + dc.EnCrypt(txtPassword.Text) + "')";
if (!dc.sqlExecuteUpdate(sSQL, ref sErr))
{
ui.RaiseError(Page, "User updated, could not add password history: " + sErr, true, "");
}
}
}
catch
{
ui.RaiseError(Page, "Update failed: " + sErr, true, "");
}
txtSecurityAnswer.Attributes.Add("value", txtSecurityAnswer.Text);
ui.RaiseInfo(Page, "Preferences updated.", "");
// to make everything look right redirect to raw
//Response.Redirect(Request.RawUrl);
}
public static string SaveUserEdits(object[] oUser)
{
string sChangeDetail = "User Details updated.";
// verify the right number of properties
if (oUser.Length != 10)
{
return("Incorrect number of User Properties.");
}
string sEditUserID = oUser[0].ToString();
string sLoginID = oUser[1].ToString();
string sFullName = oUser[2].ToString();
string sAuthType = oUser[3].ToString();
string sUserPassword = oUser[4].ToString();
string sForcePasswordChange = oUser[5].ToString();
string sUserRole = oUser[6].ToString();
string sEmail = oUser[7].ToString();
string sStatus = oUser[8].ToString();
string sGroupArray = oUser[9].ToString();
dataAccess dc = new dataAccess();
acUI.acUI ui = new acUI.acUI();
string sSql = null;
string sErr = null;
// checks that cant be done on the client side
// is the name unique?
string sInuse = "";
if (!dc.sqlGetSingleString(ref sInuse, "select user_id from users where username = '******' and user_id <> '" + sEditUserID + "' limit 1", ref sErr))
{
throw new Exception(sErr);
}
else
{
if (!string.IsNullOrEmpty(sInuse))
{
return("Login ID '" + sLoginID + "' is unavailable, please choose another.");
}
}
// CHANGE Per conference call 5-11-09 we are using a random 9 char mask
// if the password has not changed this will be the same 9 chars
string sPasswordUpdate = null;
bool boolPasswordChanged = false;
if (sUserPassword == "($%#d@x!&")
{
// password has not been touched
sPasswordUpdate = ",";
boolPasswordChanged = false;
}
else
{
// password changed
sChangeDetail += " Password changed.";
if (sAuthType == "local")
{
// bugzilla 1347
// check the user password history setting, and make sure the password was not used in the past x passwords
if (dc.PasswordInHistory(dc.EnCrypt(sUserPassword.Trim()), sEditUserID, ref sErr))
{
return("Passwords can not be reused, please choose another password");
}
;
if (sErr != null)
{
return(sErr);
}
;
if (!dc.PasswordIsComplex(sUserPassword.Trim(), ref sErr))
{
return(sErr);
}
else
{
sPasswordUpdate = ",user_password = '******',";
boolPasswordChanged = true;
}
}
else if (sAuthType == "ldap")
{
sPasswordUpdate = ",user_password = NULL,";
}
else
{
return("Unknown Authentication type.");
}
}
try
{
dataAccess.acTransaction oTrans = new dataAccess.acTransaction(ref sErr);
// update the user fields.
sSql = "update users set" +
" full_name = '" + sFullName + "'," +
" username = '******'" + sPasswordUpdate +
" force_change = '" + sForcePasswordChange + "'," +
" authentication_type = '" + sAuthType + "'," +
" email = '" + sEmail + "'," +
" failed_login_attempts = '0'," +
" status = '" + sStatus + "'," +
" user_role = '" + sUserRole + "'" +
" where user_id = '" + sEditUserID + "'";
oTrans.Command.CommandText = sSql;
if (!oTrans.ExecUpdate(ref sErr))
{
throw new Exception(sErr);
}
if (boolPasswordChanged)
{
// add Password history if it changed
sSql = "insert user_password_history (user_id, change_time,password) values ('" + sEditUserID + "',now(),'" + dc.EnCrypt(sUserPassword.Trim()) + "')";
oTrans.Command.CommandText = sSql;
if (!oTrans.ExecUpdate(ref sErr))
{
throw new Exception(sErr);
}
}
#region "tags"
// remove the existing tags
sSql = "delete from object_tags where object_id = '" + sEditUserID + "'";
oTrans.Command.CommandText = sSql;
if (!oTrans.ExecUpdate(ref sErr))
{
throw new Exception(sErr);
}
// add user groups, if there are any
if (sGroupArray.Length > 0)
{
ArrayList aGroups = new ArrayList(sGroupArray.Split(','));
foreach (string sGroupName in aGroups)
{
sSql = "insert object_tags (object_id, object_type, tag_name)" +
" values ('" + sEditUserID + "', 1, '" + sGroupName + "')";
oTrans.Command.CommandText = sSql;
if (!oTrans.ExecUpdate(ref sErr))
{
throw new Exception(sErr);
}
}
}
#endregion
oTrans.Commit();
}
catch (Exception ex)
{
throw new Exception(ex.Message);
}
// add security log
ui.WriteObjectChangeLog(Globals.acObjectTypes.User, sEditUserID, sFullName.Trim().Replace("'", "''"), sChangeDetail);
// no errors to here, so return an empty string
return("");
}
