/// <summary> /// Update User Type admin /// </summary> /// <param name="ID"></param> /// <returns></returns> public int?UpdateUserTypeByAdmin(String EmployeeId, bool isAdmin, String adminId, String adminPass, String adminGUID) { int?ret = null; try { string adminHashedPassword = AppSecurity.HashSHA1(adminPass + adminGUID); SqlCommand selectCommand = new SqlCommand(SQL_STRINGS.SP_UPDATE_USER_TYPE_ADMIN, con); selectCommand.Parameters.AddWithValue("@EMPLOYEE_ID", EmployeeId); selectCommand.Parameters.AddWithValue("@ADMIN_ID", adminId); selectCommand.Parameters.AddWithValue("@NEW_IS_ADMIN", isAdmin); selectCommand.Parameters.AddWithValue("@ADMIM_PASS", adminHashedPassword); SqlParameter retParam = new SqlParameter(); retParam.ParameterName = "@RetVal"; retParam.Direction = ParameterDirection.ReturnValue; retParam.SqlDbType = SqlDbType.Int; selectCommand.Parameters.Add(retParam); selectCommand.CommandType = CommandType.StoredProcedure; con.Open(); selectCommand.ExecuteNonQuery(); con.Close(); ret = (int)retParam.Value; return(ret); } catch { throw; } finally { con.Close(); } }
public int ValidateUserLogin(string empId, string password, ref Employee employee) { // this is the value we will return int ret = -1; using (SqlCommand cmd = new SqlCommand(SQL_STRINGS.SQL_VALIDATE_LOGIN, con)) { cmd.Parameters.AddWithValue("@EMPLOYEE_ID", empId); con.Open(); SqlDataReader dr = cmd.ExecuteReader(); while (dr.Read()) { // dr.Read() = we found user(s) with matching username! string dbEmpId = Convert.ToString(dr["EMPLOYEE_ID"]); string dbPassword = Convert.ToString(dr["PASS"]); string dbUserGuid = Convert.ToString(dr["USER_GUID"]); string dbFirstName = Convert.ToString(dr["FIRST_NAME"]); string dbLastName = Convert.ToString(dr["LAST_NAME"]); string dbEmail = Convert.ToString(dr["EMAIL_ID"]); string guid = Convert.ToString(dr["USER_GUID"]); int isAdmin = Convert.ToInt16(dr["IS_ADMIN"]); // Now we hash the UserGuid from the database with the password we wan't to check // In the same way as when we saved it to the database in the first place. (see AddUser() function) string hashedPassword = AppSecurity.HashSHA1(password + dbUserGuid); // if its correct password the result of the hash is the same as in the database if (dbPassword == hashedPassword) { // The password is correct employee = new Employee(); employee.EmployeeId = dbEmpId; employee.FirstName = dbFirstName; employee.LastName = dbLastName; employee.Email = dbEmail; employee.GUID = guid; if (isAdmin == 0) { employee.IsAdmin = false; } else if (isAdmin == 1) { employee.IsAdmin = true; } ret = 1; } } con.Close(); } // Return the user id which is 0 if we did not found a user. return(ret); }
protected void btChangeProfSave_Click(object sender, EventArgs e) { hfTab.Value = "home"; Employee emp = new Employee(); emp.EmployeeId = Session["EmployeeId"].ToString(); emp.FirstName = tbFirstName.Text; emp.LastName = tbLastName.Text; emp.Email = tbEmailId.Text; string pass = tbChangeProfPass.Text; string hashedPassword = AppSecurity.HashSHA1(pass + Session["USER_GUID"].ToString()); DataAccessLayer dal = new DataAccessLayer(); int? ret = dal.UpdateAccountInfo(emp, hashedPassword); switch (ret) { case 1: { // update session information Session["FirstName"] = emp.FirstName; Session["LastName"] = emp.LastName; Session["EMAIL"] = emp.Email; ((Label)Master.FindControl("lbUserName")).Text = emp.FirstName + " " + emp.LastName; //show success message editAlert.Style.Add("display", "inline"); editAlert.Attributes.Add("class", "alert-success"); editAlert.InnerText = "Account Information Successfully Updated"; } break; case -1: { //invalid password editAlert.Style.Add("display", "inline"); editAlert.Attributes.Add("class", "alert-danger"); editAlert.InnerText = "Incorrect Password"; } break; case 0: { //invalid password editAlert.Style.Add("display", "inline"); editAlert.Attributes.Add("class", "alert-danger"); editAlert.InnerText = "Database Error Occured. Information could not be saved."; } break; } }
protected void btChPassSave_Click(object sender, EventArgs e) { hfTab.Value = "profile"; string oldPass = tbChPassCurr.Text; string newPass = tbChPassNew.Text; string empId = Session["EmployeeId"].ToString(); string oldHashedPassword = AppSecurity.HashSHA1(oldPass + Session["USER_GUID"].ToString()); string newHashedPassword = AppSecurity.HashSHA1(newPass + Session["USER_GUID"].ToString()); DataAccessLayer dal = new DataAccessLayer(); int? ret = dal.UpdatePasswordUser(empId, oldHashedPassword, newHashedPassword); switch (ret) { case 1: { //show success message editAlert.Style.Add("display", "inline"); editAlert.Attributes.Add("class", "alert-success"); editAlert.InnerText = "Password Reset Successfully"; } break; case -1: { //invalid password editAlert.Style.Add("display", "inline"); editAlert.Attributes.Add("class", "alert-danger"); editAlert.InnerText = "Incorrect Old Password"; } break; case 0: { //invalid password editAlert.Style.Add("display", "inline"); editAlert.Attributes.Add("class", "alert-danger"); editAlert.InnerText = "Database Error Occured. Information could not be saved."; } break; } }
/// <summary> /// Reset user pass admin /// </summary> /// <param name="ID"></param> /// <returns></returns> public int?ResetUserPasswordByAdmin(String EmployeeId, String newUSerPass, String adminId, String adminPass, String adminGUID) { int?ret = null; try { // First create a new Guid for the user. This will be unique for each user Guid userGuid = System.Guid.NewGuid(); // Hash the password together with our unique userGuid string userHashedPassword = AppSecurity.HashSHA1(newUSerPass + userGuid.ToString()); string adminHashedPassword = AppSecurity.HashSHA1(adminPass + adminGUID); SqlCommand selectCommand = new SqlCommand(SQL_STRINGS.SP_RESET_USER_PASS_ADMIN, con); selectCommand.Parameters.AddWithValue("@EMPLOYEE_ID", EmployeeId); selectCommand.Parameters.AddWithValue("@ADMIN_ID", adminId); selectCommand.Parameters.AddWithValue("@NEW_USER_PASS", userHashedPassword); selectCommand.Parameters.AddWithValue("@NEW_USER_GUID", userGuid); selectCommand.Parameters.AddWithValue("@ADMIM_PASS", adminHashedPassword); SqlParameter retParam = new SqlParameter(); retParam.ParameterName = "@RetVal"; retParam.Direction = ParameterDirection.ReturnValue; retParam.SqlDbType = SqlDbType.Int; selectCommand.Parameters.Add(retParam); selectCommand.CommandType = CommandType.StoredProcedure; con.Open(); selectCommand.ExecuteNonQuery(); con.Close(); ret = (int)retParam.Value; return(ret); } catch { throw; } finally { con.Close(); } }
/// <summary> /// Add New User to Database /// </summary> public int?AddNewUser(String empId, String firstName, String lastName, String email, String password) { int?ret = null; try { // First create a new Guid for the user. This will be unique for each user Guid userGuid = System.Guid.NewGuid(); // Hash the password together with our unique userGuid string hashedPassword = AppSecurity.HashSHA1(password + userGuid.ToString()); SqlCommand selectCommand = new SqlCommand(SQL_STRINGS.SP_ADD_NEW_USER, con); selectCommand.Parameters.AddWithValue("@EMPLOYEE_ID", empId); selectCommand.Parameters.AddWithValue("@FIRST_NAME", firstName); selectCommand.Parameters.AddWithValue("@LAST_NAME", lastName); selectCommand.Parameters.AddWithValue("@EMAIL_ID", email); selectCommand.Parameters.AddWithValue("@PASS", hashedPassword); selectCommand.Parameters.AddWithValue("@USER_GUID", userGuid); SqlParameter retParam = new SqlParameter(); retParam.ParameterName = "@RetVal"; retParam.Direction = ParameterDirection.ReturnValue; retParam.SqlDbType = SqlDbType.Int; selectCommand.Parameters.Add(retParam); selectCommand.CommandType = CommandType.StoredProcedure; con.Open(); selectCommand.ExecuteNonQuery(); con.Close(); ret = (int)retParam.Value; return(ret); } catch { throw; } finally { con.Close(); } }