public Result SendPasswordReminder(Guid userID)
{
SecurityProvider.User user = SecurityProvider.User.Load(userID);
try
{
user.SendPasswordReminder(WebUtility.CacheTextFile("resources/passwordreminder.email.txt"));
return(new Result());
}
catch (Exception ex)
{
return(new Result(ex.Message));
}
}
public Result DeleteUser(Guid userID)
{
SecurityProvider.User user = SecurityProvider.User.Load(userID);
if (!CurrentUser.CanModifyUser(user))
{
return(new Result("You don't have permission to modify this user."));
}
if (user.Locked)
{
return(new Result("This user cannot be deleted."));
}
return(((SecurityProvider)SystemCore.Instance["SecurityProvider"]).DeleteUser(user));
}
void OnAdminRequest(AdminInterface admin, string sprocketPath, string[] pathSections, HandleFlag handled)
{
// build the "current user" block
WebAuthentication auth = (WebAuthentication)Core.Instance["WebAuthentication"];
SecurityProvider.User user = SecurityProvider.User.Load(WebsiteClientID, auth.CurrentUsername);
string block = "<div id=\"currentuser-block\">"
+ "You are currently logged in as <b>{0}</b>."
+ "</div>";
admin.AddLeftColumnSection(new RankedString(
string.Format(block, (user.FirstName + " " + user.Surname).Trim()), -100));
admin.WebsiteName = WebsiteClient.Name;
if (!CurrentUser.HasPermission(SecurityProvider.PermissionTypeCodes.UserAdministrator))
{
return;
}
admin.AddMainMenuLink(new AdminMenuLink("Users and Roles", WebUtility.MakeFullPath("admin/security"), 0));
// build the security interface if it has been requested
if (sprocketPath.StartsWith("admin/security"))
{
handled.Set();
int defaultMaxFilterMatches;
try { defaultMaxFilterMatches = int.Parse(SprocketSettings.GetValue("WebSecurityDefaultUserFilterMatches")); }
catch { defaultMaxFilterMatches = 50; }
admin.AddInterfaceScript(WebControlScript.TabStrip);
admin.AddInterfaceScript(WebControlScript.Fader);
admin.AddInterfaceScript(WebControlScript.AjaxForm);
string scr = ResourceLoader.LoadTextResource("Sprocket.Web.CMS.Security.security.js")
.Replace("50,//{defaultMaxFilterMatches}", defaultMaxFilterMatches.ToString() + ",")
.Replace("if(true)//{ifUserCanAccessRoleManagement}",
CurrentUser.HasPermission("ROLEADMINISTRATOR") ? "" : "if(false)");
admin.AddInterfaceScript(new RankedString(scr, 0));
admin.AddBodyOnLoadScript(new RankedString("SecurityInterface.Run()", 0));
admin.ContentHeading = "Users and Roles";
SecurityProvider security = (SecurityProvider)Core.Instance["SecurityProvider"];
string html = "<div id=\"user-admin-container\"></div>";
admin.AddContentSection(new RankedString(html, 0));
admin.AddHeadSection(new RankedString("<link rel=\"stylesheet\" type=\"text/css\" href=\""
+ WebUtility.MakeFullPath("resources/admin/security.css") + "\" />", 0));
}
}
public void FillStandardUserFormBlock(AjaxFormFieldBlock block, SecurityProvider.User user, bool plainTextPassword, bool multilingual, bool requireFullName, bool allowUsernameEditing)
{
bool newUser = user == null;
string labelUsername = multilingual ? "{?form-label-username?}" : "Username";
string labelPassword = multilingual ? "{?form-label-password?}" : "Password";
string labelFirstName = multilingual ? "{?form-label-firstname?}" : "FirstName";
string labelSurname = multilingual ? "{?form-label-surname?}" : "Surname";
string labelEmail = multilingual ? "{?form-label-email?}" : "Email";
string errNoUsername = multilingual ? "{?form-error-require-username?}" : "Please enter a username";
string errNoFirstName = multilingual ? "{?form-error-require-firstname?}" : "Please enter your first name";
string errNoSurname = multilingual ? "{?form-error-require-surname?}" : "Please enter your surname";
string errNoEmail = multilingual ? "{?form-error-require-email?}" : "Please enter your email address";
string errNoPassword = multilingual ? "{?form-error-require-password?}" : "Please enter your email password";
string fErr = "function(value){{if(value.length==0) return '{0}'; return null;}}";
string pErr = !newUser ? null : string.Format(fErr, errNoPassword);
string fnErr = !requireFullName ? null : string.Format(fErr, errNoFirstName);
string snErr = !requireFullName ? null : string.Format(fErr, errNoSurname);
if (newUser)
{
user = new SecurityProvider.User();
}
bool locked = user.Locked;
if (allowUsernameEditing)
{
block.Add(new AjaxFormInputField(labelUsername, "Username", 50, locked, null, "width:150px;", user.Username, null, string.Format(fErr, errNoUsername), true, 0));
}
if (plainTextPassword)
{
block.Add(new AjaxFormInputField(labelPassword, "Password", 50, false, null, "width:150px;", null, null, pErr, true, 1));
}
else
{
block.Add(new AjaxFormPasswordField(labelPassword, 50, null, "width:73px", 1, multilingual, newUser, !newUser));
}
block.Add(new AjaxFormInputField(labelFirstName, "FirstName", 50, false, null, "width:150px;", user.FirstName, null, fnErr, true, 2));
block.Add(new AjaxFormInputField(labelSurname, "Surname", 50, false, null, "width:150px;", user.Surname, null, snErr, true, 3));
block.Add(new AjaxFormInputField(labelEmail, "Email", 100, false, null, "width:150px;", user.Email, null, string.Format(fErr, errNoEmail), true, 4));
}
void OnSaveForm(AjaxFormSubmittedValues form)
{
switch (form.FormName)
{
case "UserEditForm":
if (!WebSecurity.CurrentUser.VerifyPermission(SecurityProvider.PermissionTypeCodes.UserAdministrator))
{
return;
}
AjaxFormSubmittedValues.Block block = form.Blocks["MainUserFields"];
string pw = block.Fields["Password"].Value;
bool enabled = block.Fields["Enabled"].Value == "True";
if (pw.Length == 0)
{
pw = null;
}
SecurityProvider.User user;
if (form.RecordID == null)
{
user = new SecurityProvider.User(
WebsiteClient.ClientID,
block.Fields["Username"].Value,
pw,
block.Fields["FirstName"].Value,
block.Fields["Surname"].Value,
block.Fields["Email"].Value,
enabled,
false, false);
user.Save();
if (OnUserSaved != null)
{
OnUserSaved(form, user);
}
form.RecordID = user.UserID;
}
else
{
user = SecurityProvider.User.Load(form.RecordID.Value);
if (!CurrentUser.CanModifyUser(user))
{
throw new AjaxException("You don't have access to modify that user.");
}
user.Username = block.Fields["Username"].Value;
if (pw != null)
{
user.Password = pw;
}
user.FirstName = block.Fields["FirstName"].Value;
user.Surname = block.Fields["Surname"].Value;
user.Email = block.Fields["Email"].Value;
user.Enabled = enabled;
user.Save();
if (OnUserSaved != null)
{
OnUserSaved(form, user);
}
if (user.Locked)
{
return; // don't muck with permissions/roles
}
}
StringBuilder sql = new StringBuilder();
if (user.Username != CurrentUser.Username) // users can't alter their own permissions
{
if (form.Blocks.ContainsKey("Roles"))
{
foreach (KeyValuePair <string, AjaxFormSubmittedValues.Field> kvp in form.Blocks["Roles"].Fields)
{
if (WebSecurity.CurrentUser.HasRole(kvp.Value.Name)) //make sure the logged in user has the right to assign this role
{
if (kvp.Value.Value == "True")
{
sql.AppendFormat("exec AssignUserToRole '{0}', '{1}'\r\n", user.UserID, kvp.Value.Name.Replace("'", "''"));
}
}
}
}
if (form.Blocks.ContainsKey("Permissions"))
{
foreach (KeyValuePair <string, AjaxFormSubmittedValues.Field> kvp in form.Blocks["Permissions"].Fields)
{
if (WebSecurity.CurrentUser.HasRole(kvp.Value.Name)) //make sure the logged in user has the right to assign this role
{
if (kvp.Value.Value == "True")
{
sql.AppendFormat("exec AssignPermission '{0}', null, '{1}'\r\n", kvp.Value.Name.Replace("'", "''"), user.UserID);
}
}
}
}
if (sql.Length == 0)
{
return;
}
user.RevokeRolesAndPermissions(); // revoke any pre-existing permissions/roles before we assign the new ones
Database.Main.CreateCommand(sql.ToString(), CommandType.Text).ExecuteNonQuery();
}
break;
case "RoleEditForm":
if (!WebSecurity.CurrentUser.VerifyPermission(SecurityProvider.PermissionTypeCodes.UserAdministrator))
{
return;
}
block = form.Blocks["RoleDetails"];
string name = block.Fields["Name"].Value;
enabled = block.Fields["Enabled"].Value == "True";
SecurityProvider.Role role;
if (form.RecordID == null)
{
role = new SecurityProvider.Role();
role.RoleCode = role.RoleID.ToString(); // role codes are only used by system roles
role.ClientID = defaultClient.ClientID;
}
else
{
role = SecurityProvider.Role.Load(form.RecordID.Value);
if (role == null)
{
return;
}
if (role.Locked)
{
return; // locked roles aren't supposed to be edited by users
}
}
role.Name = name;
role.Enabled = enabled;
((SecurityProvider)SystemCore.Instance["SecurityProvider"]).SaveRole(role);
sql = new StringBuilder();
if (form.Blocks.ContainsKey("Roles"))
{
foreach (KeyValuePair <string, AjaxFormSubmittedValues.Field> kvp in form.Blocks["Roles"].Fields)
{
if (WebSecurity.CurrentUser.HasRole(kvp.Value.Name)) //make sure the logged in user has the right to assign this role
{
if (kvp.Value.Value == "True")
{
sql.AppendFormat("exec InheritRoleFrom '{0}', '{1}'\r\n", role.RoleID, kvp.Value.Name.Replace("'", "''"));
}
}
}
}
if (form.Blocks.ContainsKey("Permissions"))
{
foreach (KeyValuePair <string, AjaxFormSubmittedValues.Field> kvp in form.Blocks["Permissions"].Fields)
{
if (WebSecurity.CurrentUser.HasRole(kvp.Value.Name)) //make sure the logged in user has the right to assign this role
{
if (kvp.Value.Value == "True")
{
sql.AppendFormat("exec AssignPermission '{0}', null, '{1}'\r\n", kvp.Value.Name.Replace("'", "''"), role.RoleID);
}
}
}
}
role.RevokeRolesAndPermissions(); // revoke any pre-existing permissions/roles before we assign the new ones
if (sql.Length == 0)
{
return;
}
Database.Main.CreateCommand(sql.ToString(), CommandType.Text).ExecuteNonQuery();
break;
}
}
public SecurityProvider.User SaveStandardUserFormDetails(AjaxFormSubmittedValues form, string blockName, bool?enabled)
{
AjaxFormSubmittedValues.Block block = form.Blocks[blockName];
string pw;
if (block.Fields.ContainsKey("Password1"))
{
pw = block.Fields["Password1"].Value;
}
else
{
pw = block.Fields["Password"].Value;
}
if (pw.Length == 0)
{
pw = null;
}
SecurityProvider.User user;
if (form.RecordID == null)
{
user = new SecurityProvider.User(
WebsiteClient.ClientID,
block.Fields["Username"].Value,
pw,
block.Fields["FirstName"].Value,
block.Fields["Surname"].Value,
block.Fields["Email"].Value,
enabled == null ? (block.Fields["Enabled"].Value == "True") : enabled.Value,
false, false);
if (OnBeforeSaveUser != null)
{
OnBeforeSaveUser(form, user);
}
user.Save();
form.RecordID = user.UserID;
}
else
{
Guid myuserid = CurrentUser.UserID;
// string myoldusername = CurrentUser.Username;
user = SecurityProvider.User.Load(form.RecordID.Value);
// user.Username = block.Fields["Username"].Value;
if (pw != null)
{
user.Password = pw;
}
user.FirstName = block.Fields["FirstName"].Value;
user.Surname = block.Fields["Surname"].Value;
user.Email = block.Fields["Email"].Value;
user.Enabled = enabled == null ? (block.Fields["Enabled"].Value == "True") : enabled.Value;
if (OnBeforeSaveUser != null)
{
OnBeforeSaveUser(form, user);
}
user.Save();
/* we're not going to allow the user to change their username, so this code is commented out
* if (myuserid == user.UserID && (pw != null || user.Username != myoldusername)) // changing username or password causes login cookie to become invalid
* WebAuthentication.Instance.WriteAuthenticationCookie(
* user.Username,
* pw != null ? Crypto.EncryptOneWay(pw) : user.PasswordHash,
* WebAuthentication.Instance.StoreAjaxAuthKey(user.Username),
* 1440); */
}
return(user);
}
public AjaxForm GetUserEditForm(Guid?userID)
{
/* business rules:
* people with user administration access can only see user accounts that have a subset of the logged-in user's own roles/permissions
* user accounts containing roles or permissions that are not possessed by this user can NOT be altered by the current user
* the current user can only assign roles or permissions to other users if he/she has that role or permission
*/
string fErr = "function(value){{if(value.length==0) return 'Please enter a {0}'; return null;}}";
string pErr = userID != null ? null : string.Format(fErr, "password");
string username = null, firstname = null, surname = null, email = null, blockheading = null;
bool enabled = true, locked = false;
if (userID != null)
{
SecurityProvider.User user = SecurityProvider.User.Load(userID.Value);
if (!CurrentUser.CanModifyUser(user))
{
throw new AjaxException("You don't have access to modify that user.");
}
username = user.Username;
firstname = user.FirstName;
surname = user.Surname;
email = user.Email;
enabled = user.Enabled;
locked = user.Locked;
}
blockheading = "User Details";
AjaxForm form = new AjaxForm("UserEditForm");
if (userID != null)
{
form.RecordID = userID.Value;
}
AjaxFormFieldBlock block = new AjaxFormFieldBlock("MainUserFields", blockheading);
block.Add(new AjaxFormInputField("Username", "Username", 50, locked, null, "width:150px;", username, null, string.Format(fErr, "username"), true, 0));
block.Add(new AjaxFormInputField("Password", "Password", 50, false, null, "width:150px;", null, null, pErr, true, 1));
block.Add(new AjaxFormInputField("First Name", "FirstName", 50, false, null, "width:150px;", firstname, null, null, true, 2));
block.Add(new AjaxFormInputField("Surname", "Surname", 50, false, null, "width:150px;", surname, null, null, true, 3));
block.Add(new AjaxFormInputField("Email", "Email", 100, false, null, "width:150px;", email, null, string.Format(fErr, "valid email address"), true, 4));
block.Add(new AjaxFormCheckboxField("User account is enabled", "Enabled", enabled, locked, null, null, false, 5));
block.Rank = -10000;
form.FieldBlocks.Add(block);
if (!locked && username != CurrentUser.Username)
{
block = new AjaxFormFieldBlock("Roles", "Assigned Roles");
block.Rank = 998;
IDbCommand cmd = Database.Main.CreateCommand("ListRolePermissionStates", CommandType.StoredProcedure);
Database.Main.AddParameter(cmd, "@UserID", userID);
DataSet ds = Database.Main.GetDataSet(cmd);
int c = 0;
foreach (DataRow row in ds.Tables[0].Rows)
{
// check that the current user has access to assign the specified permission/role
if (!CurrentUser.HasRole(row["RoleCode"].ToString()))
{
continue;
}
block.Add(new AjaxFormCheckboxField(row["Name"].ToString(), row["RoleCode"].ToString(),
(bool)row["HasRole"], false, null, null, false, c++));
}
if (c > 0)
{
form.FieldBlocks.Add(block);
}
block = new AjaxFormFieldBlock("Permissions", "Specific Assigned Permissions");
block.Rank = 999;
c = 0;
foreach (DataRow row in ds.Tables[1].Rows)
{
// check that the current user has access to assign the specified permission/role
if (!CurrentUser.HasPermission(row["PermissionTypeCode"].ToString()))
{
continue;
}
block.Add(new AjaxFormCheckboxField(row["Description"].ToString(), row["PermissionTypeCode"].ToString(),
(bool)row["HasPermission"], false, null, null, false, c++));
}
if (c > 0)
{
form.FieldBlocks.Add(block);
}
}
block = new AjaxFormFieldBlock("SubmitButtons", null);
AjaxFormButtonGroup buttons = new AjaxFormButtonGroup();
block.Rank = 10000;
buttons.AddSubmitButton(null, "Save", "SecurityInterface.OnUserSaved", null);
if (userID != null)
{
if (!locked)
{
buttons.AddButton(null, "Delete", "SecurityInterface.DeleteUser('" + userID.ToString() + "')");
}
//buttons.AddButton(null, "Send Password", "SecurityInterface.SendPassword('" + userID.ToString() + "')");
buttons.AddButton(null, "Cancel", "SecurityInterface.CancelUserEdit()");
}
block.Add(buttons);
form.FieldBlocks.Add(block);
if (OnUserEditFormLayout != null)
{
OnUserEditFormLayout(userID, false, form);
}
return(form);
}
