public ActionResult CreateADUser()
{
var efms = MembershipService as EFMembershipService;
if ((!Request.IsAuthenticated) || efms == null)
{
Log.Warning("CreateADUser: can't run IsAuth: {IsAuth}, MemServ {MemServ}",
Request.IsAuthenticated,
MembershipService.GetType());
return(RedirectToAction("Unauthorized", "Home"));
}
var credentials = User.Username();
var adUser = ADHelper.GetUserPrincipal(credentials);
if (adUser != null)
{
var userId = adUser.Guid.GetValueOrDefault(Guid.NewGuid());
if (string.IsNullOrEmpty(adUser.EmailAddress))
{
var username = credentials.Split('\\')[1];
adUser.EmailAddress = $"{username}@{AuthenticationSettings.EmailDomain}";
}
if (MembershipService.CreateUser(credentials, Guid.NewGuid().ToString(), adUser.GivenName, adUser.Surname, adUser.EmailAddress, userId))
{
// 2 because we just added the user and there is the default admin user.
if (AuthenticationSettings.ImportWindowsAuthUsersAsAdmin || efms.UserCount() == 2)
{
Log.Information("Making AD user {User} into an admin", credentials);
var id = MembershipService.GetUserModel(credentials).Id;
RoleProvider.AddUserToRoles(id, new[] { Definitions.Roles.Administrator });
// Add the administrator role to the Identity/cookie
var Identity = (ClaimsIdentity)User.Identity;
Identity.AddClaim(new Claim(ClaimTypes.Role, Definitions.Roles.Administrator));
var AuthenticationManager = HttpContext.GetOwinContext().Authentication;
AuthenticationManager.AuthenticationResponseGrant = new AuthenticationResponseGrant(new ClaimsPrincipal(Identity), new AuthenticationProperties {
IsPersistent = true
});
}
return(RedirectToAction("Index", "Repository"));
}
else
{
ModelState.AddModelError("Username", Resources.Account_Create_AccountAlreadyExists);
return(RedirectToAction("Index"));
}
}
else
{
return(RedirectToAction("Unauthorized", "Home"));
}
}
public ActionResult Edit(UserEditModel model)
{
if (User.Id() != model.Id && !User.IsInRole(Definitions.Roles.Administrator))
{
return(RedirectToAction("Unauthorized", "Home"));
}
if (AuthenticationSettings.DemoModeActive && User.IsInRole(Definitions.Roles.Administrator) && User.Id() == model.Id)
{
// Don't allow the admin user to be changed in demo mode
return(RedirectToAction("Unauthorized", "Home"));
}
if (ModelState.IsValid)
{
bool valid = true;
if (!User.IsInRole(Definitions.Roles.Administrator) && (model.OldPassword == null && model.NewPassword != null))
{
ModelState.AddModelError("OldPassword", Resources.Account_Edit_OldPasswordEmpty);
valid = false;
}
if (model.OldPassword != null && MembershipService.ValidateUser(model.Username, model.OldPassword) != ValidationResult.Success)
{
ModelState.AddModelError("OldPassword", Resources.Account_Edit_OldPasswordIncorrect);
valid = false;
}
if (User.IsInRole(Definitions.Roles.Administrator) && model.Id == User.Id() && !(model.PostedSelectedRoles != null && model.PostedSelectedRoles.Contains(Definitions.Roles.Administrator)))
{
ModelState.AddModelError("Roles", Resources.Account_Edit_CannotRemoveYourselfFromAdminRole);
valid = false;
}
if (valid)
{
MembershipService.UpdateUser(model.Id, model.Username, model.Name, model.Surname, model.Email, model.NewPassword);
// Only Administrators can make any changes to roles
if (User.IsInRole(Definitions.Roles.Administrator))
{
RoleProvider.RemoveUserFromRoles(model.Id, RoleProvider.GetAllRoles());
if (model.PostedSelectedRoles != null)
{
RoleProvider.AddUserToRoles(model.Id, model.PostedSelectedRoles);
}
}
ViewBag.UpdateSuccess = true;
}
}
model.Roles = RoleProvider.GetAllRoles();
model.SelectedRoles = model.PostedSelectedRoles;
return(View(model));
}
public ActionResult Edit(UserEditModel model)
{
if (!User.Id().Equals(model.Username, StringComparison.OrdinalIgnoreCase) && !User.IsInRole(Definitions.Roles.Administrator))
{
return(RedirectToAction("Unauthorized", "Home"));
}
if (ModelState.IsValid)
{
bool valid = true;
if (!User.IsInRole(Definitions.Roles.Administrator) && (model.OldPassword == null && model.NewPassword != null))
{
ModelState.AddModelError("OldPassword", Resources.Account_Edit_OldPasswordEmpty);
valid = false;
}
if (model.OldPassword != null && MembershipService.ValidateUser(model.Username, model.OldPassword) != ValidationResult.Success)
{
ModelState.AddModelError("OldPassword", Resources.Account_Edit_OldPasswordIncorrect);
valid = false;
}
if (User.IsInRole(Definitions.Roles.Administrator) && model.Username.Equals(User.Id(), StringComparison.OrdinalIgnoreCase) && !(model.Roles != null && model.Roles.Contains(Definitions.Roles.Administrator)))
{
ModelState.AddModelError("Roles", Resources.Account_Edit_CannotRemoveYourselfFromAdminRole);
valid = false;
}
if (valid)
{
MembershipService.UpdateUser(model.Username, model.Name, model.Surname, model.Email, model.NewPassword);
RoleProvider.RemoveUserFromRoles(model.Username, RoleProvider.GetAllRoles());
if (model.Roles != null)
{
RoleProvider.AddUserToRoles(model.Username, model.Roles);
}
ViewBag.UpdateSuccess = true;
}
}
PopulateRoles();
return(View(model));
}
public ActionResult CreateADUser()
{
if ((!Request.IsAuthenticated) || !(MembershipService is EFMembershipService))
{
return(RedirectToAction("Unauthorized", "Home"));
}
var credentials = User.Username();
var dc = new PrincipalContext(ContextType.Domain, credentials.GetDomain());
var adUser = UserPrincipal.FindByIdentity(dc, credentials);
if (adUser != null)
{
//TODO Is this legit? Could an AD user ever not have a Guid
var userId = adUser.Guid.GetValueOrDefault(Guid.NewGuid());
if (MembershipService.CreateUser(credentials, Guid.NewGuid().ToString(), adUser.GivenName, adUser.Surname, adUser.EmailAddress, userId))
{
if (MembershipService is EFMembershipService)
{
var efms = MembershipService as EFMembershipService;
// 2 because we just added the user and there is the default admin user.
if ((AuthenticationSettings.ImportWindowsAuthUsersAsAdmin || efms.UserCount() == 2))
{
var id = MembershipService.GetUserModel(credentials).Id;
RoleProvider.AddUserToRoles(id, new string[] { Definitions.Roles.Administrator });
}
}
return(RedirectToAction("Index", "Repository"));
}
else
{
ModelState.AddModelError("Username", Resources.Account_Create_AccountAlreadyExists);
return(RedirectToAction("Index"));
}
}
else
{
return(RedirectToAction("Unauthorized", "Home"));
}
}