public DAOPermissionProxy(User u, IDataAccessObject dao)
{
Contract.Requires(u != null);
Contract.Requires(dao != null);
_user = u;
_dao = dao;
}
public void ChangePassword(User user, string newPasswordHash, string oldPasswordHash)
{
Contract.Requires(ActionPermitted(SystemAction.ChangeOwnPassword));
Contract.Requires(this.CorrectUser(user));
this.TestPermission(SystemAction.ChangeOwnPassword, "You don't have permission to change your own password");
this.TestCorrectUser(user);
_dao.ChangePassword(user, newPasswordHash, oldPasswordHash);
}
public static void LogOut()
{
_currentUser = null;
RunApp();
ShutdownAllowed = false;
_mainWindow.Close();
ShutdownAllowed = true;
}
/// <summary>
/// May i have the Data Access Object for this user?
/// </summary>
/// <param name="u">The user for which data access permissions will be fetched</param>
/// <returns>A data access object ready to use</returns>
public static IDataAccessObject getDAO(User u)
{
Contract.Requires(Ready);
Contract.Requires(u != null);
Contract.Ensures(Contract.Result<IDataAccessObject>() != null);
Contract.Ensures(daos.ContainsKey(u));
if (!daos.ContainsKey(u)) //Check if dao already exists
{
IDataAccessObject dao = DAOMySql.GetDAO(u, ConnectionString);
daos[u] = dao; //Create dao if it doesn't exist
}
return daos[u];
}
public HashSet<SystemAction> GetPermissions(User u)
{
Contract.Requires(u != null, "Input user must not be null!");
Contract.Ensures(Contract.Result<HashSet<SystemAction>>() != null);
var result = new HashSet<SystemAction>();
DoTransaction(() => { result = PriGetPermissions(u); });
return result;
}
public HashSet<VotingVenue> GetWorkplaces(User u)
{
Contract.Requires(u != null, "Input user must not be null!");
Contract.Ensures(Contract.Result<HashSet<VotingVenue>>() != null);
var result = new HashSet<VotingVenue>();
DoTransaction(() => { result = PriGetWorkplaces(u); });
return result;
}
/// <summary>
/// Change this users password to this!
/// </summary>
/// <param name="user">The user whose password should be changed</param>
/// <param name="newPasswordHash">The hash of the new password to use</param>
/// <returns>Was th attempt succesful?</returns>
public void ChangePassword(User user, string newPasswordHash)
{
Contract.Requires(user != null);
Contract.Requires(ExistsInDb(user));
Contract.Requires(newPasswordHash != null);
DoTransaction(() => PriChangePassword(user, newPasswordHash));
}
private int PriSaveNew(User user)
{
Contract.Requires(this.Transacting(), "This method must be performed in a transaction.");
Contract.Requires(user != null, "Input user must not be null!");
Contract.Requires(user.DbId == 0, "DbId must be zero when creating");
Contract.Requires(user.Username != null);
Contract.Requires(user.Title != null);
Contract.Requires(user.UserSalt != null);
Contract.Requires(user.Cpr == null || Citizen.ValidCpr(user.Cpr), "A user must have a valid CPR number or no CPR number");
Contract.Ensures(LoadUser(Contract.Result<int>()).Equals(user), "All changes must be saved");
int personId;
MySqlCommand insertOrUpdatePerson;
if (user.Cpr != null && PriFindCitizens(new Dictionary<CitizenSearchParam, object>() { }, SearchMatching.Exact).Count > 0)
{
insertOrUpdatePerson =
Prepare("UPDATE " +
" person " +
"SET " +
" name=@name, " +
" address=@address, " +
" place_of_birth=@placeOfBirth, " +
" passport_number=@passportNumber " +
"WHERE " +
" cpr=@cpr" +
"; " +
"" +
"SELECT " +
" id " +
"FROM " +
" person " +
"WHERE " +
" cpr=@cpr;");
}
else
{
insertOrUpdatePerson = Prepare("INSERT INTO " +
" person (" +
" name, " +
" address, " +
" place_of_birth," +
" passport_number," +
" cpr" +
" )" +
"VALUES" +
" (" +
" @name," +
" @address," +
" @placeOfBirth," +
" @passportNumber," +
" @cpr" +
" )" +
";" +
"" +
"SELECT LAST_INSERT_ID();");
}
var personMapping = new Dictionary<string, string>()
{
{"name",user.Name},
{"address",user.Address},
{"placeOfBrith",user.PlaceOfBirth},
{"passportNumber",user.PassportNumber},
{"id",user.PersonDbId.ToString()}
};
foreach (var kv in personMapping)
{
insertOrUpdatePerson.Parameters.AddWithValue("@" + kv.Key, kv.Value);
}
personId = Convert.ToInt32(ScalarQuery(insertOrUpdatePerson));
MySqlCommand insertUser = Prepare(" INSERT INTO" +
" user (" +
" user_name," +
" title," +
" person_id," +
" user_salt" +
" )" +
"VALUES" +
" (" +
" @username," +
" @title," +
" @personId," +
" @userSalt" +
" )" +
";" +
"" +
"SELECT LAST_INSERT_ID();");
var userMapping = new Dictionary<string, string>()
{
{"username",user.Username},
{"title",user.Title},
{"personId",personId.ToString()},
{"userSalt",user.UserSalt}
};
foreach (var kv in userMapping)
{
insertUser.Parameters.AddWithValue("@" + kv.Key, kv.Value);
}
return Convert.ToInt32(ScalarQuery(insertUser));
}
public HashSet<VotingVenue> Workplaces(User u)
{
return _dao.GetWorkplaces(u);
}
private void PriSave(User user)
{
Contract.Requires(this.Transacting(), "This method must be performed in a transaction.");
Contract.Requires(user != null, "Input user must not be null!");
Contract.Requires(user.DbId > 0, "DbId must be larger than zero to update");
Contract.Requires(PriExistsWithId("user", user.DbId), "DbId must be present in database in order to update anything");
Contract.Requires(user.Username != null);
Contract.Requires(user.Title != null);
Contract.Requires(user.UserSalt != null);
Contract.Requires(user.PersonDbId > 0, "An existing user must map to a person in the database");
Contract.Requires(PriExistsWithId("person", user.PersonDbId), "The person for this user must exist in the database");
Contract.Requires(user.Cpr == null || Citizen.ValidCpr(user.Cpr), "A user must have a valid CPR number or no CPR number");
Contract.Ensures(LoadUser(user.DbId).Equals(user), "All changes must be saved");
MySqlCommand updatePerson = Prepare("UPDATE person SET name=@name, address=@address, place_of_birth=@placeOfBirth, passport_number=@passportNumber WHERE id=@id");
var personMapping = new Dictionary<string, string>()
{
{"name",user.Name},
{"address",user.Address},
{"placeOfBrith",user.PlaceOfBirth},
{"passportNumber",user.PassportNumber},
{"id",user.PersonDbId.ToString()}
};
foreach (var kv in personMapping)
{
updatePerson.Parameters.AddWithValue("@" + kv.Key, kv.Value);
}
Execute(updatePerson);
MySqlCommand updateUser = Prepare("UPDATE user SET user_name=@username, title=@title, user_salt=@userSalt WHERE id=@id");
var userMapping = new Dictionary<string, string>()
{
{"username",user.Username},
{"title",user.Title},
{"userSalt",user.UserSalt},
{"id",user.DbId.ToString()}
};
foreach (var kv in userMapping)
{
updateUser.Parameters.AddWithValue("@" + kv.Key, kv.Value);
}
Execute(updateUser);
}
private HashSet<VotingVenue> PriGetWorkplaces(User user)
{
Contract.Requires(this.Transacting(), "This method must be performed in a transaction.");
Contract.Requires(user != null, "The input user must not be null!");
Contract.Ensures(Contract.Result<HashSet<VotingVenue>>() != null);
var output = new HashSet<VotingVenue>();
if (user.DbId < 1) return output; //The user CAN not exist in the database...
MySqlCommand cmd =
Prepare("SELECT " +
" v.id, " +
" v.address, " +
" v.name " +
"FROM " +
" user u " +
" INNER JOIN " +
" workplace w " +
" ON " +
" u.id = w.user_id " +
" INNER JOIN " +
" voting_venue v " +
" ON " +
" v.id = w.voting_venue_id " +
"WHERE " +
" u.id=@id");
cmd.Parameters.AddWithValue("@id", user.DbId);
Query(cmd, rdr =>
{
while (rdr.Read())
{
VotingVenue venue = new VotingVenue(
rdr.GetInt32("id"),
rdr.GetString("name"),
rdr.GetString("address"));
output.Add(venue);
}
});
return output;
}
private User PriLoadUser(int id)
{
Contract.Requires(this.Transacting(), "This method must be performed in a transaction.");
Contract.Requires(PriExistsWithId("user", id), "User must exist in the database to be loaded.");
Contract.Requires(id > 0, "The input id must be larger than zero.");
Contract.Ensures(Contract.Result<User>() != null);
MySqlCommand cmd = Prepare("SELECT * FROM " +
" user u " +
" INNER JOIN " +
" person p " +
" ON " +
" u.person_id=p.id " +
"WHERE " +
" u.id=@id");
cmd.Parameters.AddWithValue("@id", id);
User u = null;
Query(cmd, rdr =>
{
rdr.Read();
string cpr = null;
DoIfNotDbNull(rdr, "cpr", lbl => { cpr = rdr.GetString(lbl); });
u = new User(id, cpr);
DoIfNotDbNull(rdr, "name", lbl => { u.Name = rdr.GetString(lbl); });
DoIfNotDbNull(rdr, "address", lbl => { u.Address = rdr.GetString(lbl); });
DoIfNotDbNull(rdr, "place_of_birth", lbl => { u.PlaceOfBirth = rdr.GetString(lbl); });
DoIfNotDbNull(rdr, "passport_number", lbl => { u.PassportNumber = rdr.GetString(lbl); });
u.Username = rdr.GetString("user_name");
u.Title = rdr.GetString("title");
u.UserSalt = rdr.GetString("user_salt");
});
return u;
}
/// <summary>
/// Save this user with this data!
/// </summary>
/// <param name="user">The user to register</param>
/// <returns>Was the attempt successful?</returns>
public void Save(User user)
{
Contract.Requires(user != null, "Input person must not be null!");
Contract.Requires(user.DbId >= 0, "DbId must be greater than or equal to zero");
Contract.Requires(!(user.DbId > 0) || user.PersonDbId > 0, "When updating a user, PersonDbId must be greater than zero.");
Contract.Requires(user.Cpr == null || Citizen.ValidCpr(user.Cpr), "A user must have a valid CPR number or no CPR number");
Contract.Requires(!(user.DbId > 0) || this.ExistsInDb(user), "DbId > 0 => UserExists. Eg. if updating, the user to update must exist.");
Contract.Requires(!(user.DbId > 0) || ExistsInDb(new Person(user.PersonDbId)), "DbId > 0 => userPersonExists. Eg. if updating, the users person to update must exist.");
Contract.Requires(user.Username != null);
Contract.Requires(user.Title != null);
Contract.Requires(user.UserSalt != null);
if (user.DbId > 0)
{
DoTransaction(() => PriSave(user));
}
else
{
DoTransaction(() => PriSaveNew(user));
}
}
public static IDataAccessObject GetDAO(User u, string connectionString)
{
return new DAOPermissionProxy(u, new DAOMySql(connectionString));
}
public bool HasPermissionToUse(User u)
{
Contract.Requires(u != null);
return u.Permissions.IsSupersetOf(_neededPermissions);
}
public HashSet<SystemAction> GetPermissions(User u)
{
return _dao.GetPermissions(u);
}
/// <summary>
/// Is this user my user?
/// </summary>
/// <param name="user"></param>
/// <returns></returns>
public bool CorrectUser(User user)
{
Contract.Requires(user != null);
return user.Equals(_user);
}
public void ChangePassword(User user, string newPasswordHash)
{
Contract.Requires(this.ActionPermitted(SystemAction.ChangeOthersPassword));
this.TestPermission(SystemAction.ChangeOthersPassword, "You don't have permission to changed users passwords");
_dao.ChangePassword(user, newPasswordHash);
}
private void TestCorrectUser(User user)
{
Contract.Requires(user != null);
if (!this.CorrectUser(user)) throw new PermissionException(_user, "You must be logged as this user");
}
private void PriChangePassword(User user, string newPasswordHash)
{
Contract.Requires(Transacting(), "Must be done in a transaction");
Contract.Requires(user != null);
Contract.Requires(PriExistsWithId("user", user.DbId));
Contract.Requires(newPasswordHash != null);
MySqlCommand updatePassword = Prepare("UPDATE user SET password_hash=@pwdHash WHERE id=@id");
updatePassword.Parameters.AddWithValue("@pwdHash", newPasswordHash);
updatePassword.Parameters.AddWithValue("@id", user.DbId);
Execute(updatePassword);
}
public static void RunApp(User user)
{
_currentUser = user;
if (user != null && user.Validated)
{
_mainWindow = new MainWindow();
new MainWindowController(_mainWindow);
}
else
{
if (_loginWindow != null)
{
_loginWindow.Close();
_loginWindow = null;
}
_loginWindow = new LoginWindow();
_loginWindow.Closing += (s, e) =>
{
_loginWindow = null;
};
new LoginController(_loginWindow);
}
}
private HashSet<SystemAction> PriGetPermissions(User user)
{
Contract.Requires(this.Transacting(), "This method must be performed in a transaction.");
Contract.Requires(user != null, "The input user must not be null!");
Contract.Ensures(Contract.Result<HashSet<SystemAction>>() != null);
var output = new HashSet<SystemAction>();
if (user.DbId < 1) return output; //The user CAN not exist in the database...
MySqlCommand cmd =
Prepare("SELECT a.label FROM " +
" action a " +
" INNER JOIN " +
" permission p " +
" ON " +
" a.id = p.action_id " +
"WHERE " +
" p.user_id=@id");
cmd.Parameters.AddWithValue("@id", user.DbId);
Query(cmd, rdr =>
{
while (rdr.Read())
{
SystemAction action = SystemActions.getSystemAction(rdr.GetString(0));
output.Add(action);
}
});
return output;
}
public PermissionException(SystemAction systemAction, User user, string msg = "You don't have permission to perform this SystemAction.")
: base(msg)
{
_systemAction = systemAction;
_user = user;
}
/// <summary>
/// Change this users pasword to this!
/// </summary>
/// <param name="user">The user whose password should be changed</param>
/// <param name="newPasswordHash">The hash of the new password to use</param>
/// <param name="oldPasswordHash">The hash of the old password for this user.</param>
/// <returns>Was the attempt succesful?</returns>
public void ChangePassword(User user, string newPasswordHash, string oldPasswordHash)
{
Contract.Requires(user != null);
Contract.Requires(this.ExistsInDb(user));
Contract.Requires(newPasswordHash != null);
Contract.Requires(oldPasswordHash != null);
Contract.Requires(ValidateUser(user.Username, oldPasswordHash));
if (!ValidateUser(user.Username, oldPasswordHash)) throw new Exception("Wrong password for user \"" + user.Username + "\""); //Make sure that we can't change password with a wrong password..
DoTransaction(() => PriChangePassword(user, newPasswordHash));
}
public PermissionException(User user, string msg = "You don't have permission to do this.")
: base(msg)
{
_user = user;
}
public bool Equals(User other)
{
if (ReferenceEquals(null, other))
{
return false;
}
if (ReferenceEquals(this, other))
{
return true;
}
return base.Equals(other) && Equals(other._permissions, this._permissions) && Equals(other._workplaces, this._workplaces) && Equals(other.UserSalt, this.UserSalt) && other.Valid.Equals(this.Valid) && other.DbId == this.DbId;
}
public void Save(User user)
{
Contract.Requires(this.ActionPermitted(SystemAction.SaveUser));
this.TestPermission(SystemAction.SaveUser, "You don't have permission to save users");
_dao.Save(user);
}