/// -----------------------------------------------------------------------------
/// <summary>
/// ChangePassword attempts to change the users password
/// </summary>
/// <remarks>
/// </remarks>
/// <param name="user">The user to update.</param>
/// <param name="oldPassword">The old password.</param>
/// <param name="newPassword">The new password.</param>
/// <returns>A Boolean indicating success or failure.</returns>
/// -----------------------------------------------------------------------------
public override bool ChangePassword(UserInfo user, string oldPassword, string newPassword)
{
MembershipUser aspnetUser = GetMembershipUser(user);
var m = new MembershipPasswordController();
if (m.IsPasswordInHistory(user.UserID, user.PortalID, newPassword))
{
return false;
}
if (string.IsNullOrEmpty(oldPassword))
{
aspnetUser.UnlockUser();
oldPassword = aspnetUser.GetPassword();
}
bool retValue = aspnetUser.ChangePassword(oldPassword, newPassword);
if (retValue && PasswordRetrievalEnabled && !RequiresQuestionAndAnswer)
{
string confirmPassword = aspnetUser.GetPassword();
if (confirmPassword == newPassword)
{
user.Membership.Password = confirmPassword;
}
else
{
retValue = false;
}
}
return retValue;
}
private void cmdChangePassword_Click(object sender, EventArgs e)
{
//1. Check New Password and Confirm are the same
if (txtPassword.Text != txtConfirmPassword.Text)
{
resetMessages.Visible = true;
var failed = Localization.GetString("PasswordMismatch");
LogFailure(failed);
lblHelp.Text = failed;
return;
}
if (UserController.ValidatePassword(txtPassword.Text)==false)
{
resetMessages.Visible = true;
var failed = Localization.GetString("PasswordResetFailed");
LogFailure(failed);
lblHelp.Text = failed;
return;
}
//Check New Password is not same as username or banned
var settings = new MembershipPasswordSettings(User.PortalID);
if (settings.EnableBannedList)
{
var m = new MembershipPasswordController();
if (m.FoundBannedPassword(txtPassword.Text) || txtUsername.Text == txtPassword.Text)
{
resetMessages.Visible = true;
var failed = Localization.GetString("PasswordResetFailed");
LogFailure(failed);
lblHelp.Text = failed;
return;
}
}
string username = txtUsername.Text;
if (PortalController.GetPortalSettingAsBoolean("Registration_UseEmailAsUserName", PortalId, false))
{
var testUser = UserController.GetUserByEmail(PortalId, username); // one additonal call to db to see if an account with that email actually exists
if (testUser != null)
{
username = testUser.Username; //we need the username of the account in order to change the password in the next step
}
}
if (UserController.ChangePasswordByToken(PortalSettings.PortalId, username, txtPassword.Text, ResetToken) == false)
{
resetMessages.Visible = true;
var failed = Localization.GetString("PasswordResetFailed", LocalResourceFile);
LogFailure(failed);
lblHelp.Text = failed;
}
else
{
//Log user in to site
LogSuccess();
var loginStatus = UserLoginStatus.LOGIN_FAILURE;
UserController.UserLogin(PortalSettings.PortalId, username, txtPassword.Text, "", "", "", ref loginStatus, false);
RedirectAfterLogin();
}
}
private void cmdUpdate_Click(Object sender, EventArgs e)
{
if (IsUserOrAdmin == false)
{
return;
}
//1. Check New Password and Confirm are the same
if (txtNewPassword.Text != txtNewConfirm.Text)
{
OnPasswordUpdated(new PasswordUpdatedEventArgs(PasswordUpdateStatus.PasswordMismatch));
return;
}
//2. Check New Password is Valid
if (!UserController.ValidatePassword(txtNewPassword.Text))
{
OnPasswordUpdated(new PasswordUpdatedEventArgs(PasswordUpdateStatus.PasswordInvalid));
return;
}
//3. Check old Password is Provided
if (!IsAdmin && String.IsNullOrEmpty(txtOldPassword.Text))
{
OnPasswordUpdated(new PasswordUpdatedEventArgs(PasswordUpdateStatus.PasswordMissing));
return;
}
//4. Check New Password is ddifferent
if (!IsAdmin && txtNewPassword.Text == txtOldPassword.Text)
{
OnPasswordUpdated(new PasswordUpdatedEventArgs(PasswordUpdateStatus.PasswordNotDifferent));
return;
}
//5. Check New Password is not same as username or banned
var settings = new MembershipPasswordSettings(User.PortalID);
if (settings.EnableBannedList)
{
var m = new MembershipPasswordController();
if (m.FoundBannedPassword(txtNewPassword.Text) || User.Username == txtNewPassword.Text)
{
OnPasswordUpdated(new PasswordUpdatedEventArgs(PasswordUpdateStatus.BannedPasswordUsed));
return;
}
}
if (!IsAdmin && txtNewPassword.Text == txtOldPassword.Text)
{
OnPasswordUpdated(new PasswordUpdatedEventArgs(PasswordUpdateStatus.PasswordNotDifferent));
return;
}
if (!IsAdmin)
{
try
{
OnPasswordUpdated(UserController.ChangePassword(User, txtOldPassword.Text, txtNewPassword.Text)
? new PasswordUpdatedEventArgs(PasswordUpdateStatus.Success)
: new PasswordUpdatedEventArgs(PasswordUpdateStatus.PasswordResetFailed));
}
catch (MembershipPasswordException exc)
{
//Password Answer missing
Logger.Error(exc);
OnPasswordUpdated(new PasswordUpdatedEventArgs(PasswordUpdateStatus.InvalidPasswordAnswer));
}
catch (ThreadAbortException)
{
//Do nothing we are not logging ThreadAbortxceptions caused by redirects
}
catch (Exception exc)
{
//Fail
Logger.Error(exc);
OnPasswordUpdated(new PasswordUpdatedEventArgs(PasswordUpdateStatus.PasswordResetFailed));
}
}
else
{
try
{
OnPasswordUpdated(UserController.ResetAndChangePassword(User, txtNewPassword.Text)
? new PasswordUpdatedEventArgs(PasswordUpdateStatus.Success)
: new PasswordUpdatedEventArgs(PasswordUpdateStatus.PasswordResetFailed));
}
catch (MembershipPasswordException exc)
{
//Password Answer missing
Logger.Error(exc);
OnPasswordUpdated(new PasswordUpdatedEventArgs(PasswordUpdateStatus.InvalidPasswordAnswer));
}
catch (ThreadAbortException)
{
//Do nothing we are not logging ThreadAbortxceptions caused by redirects
}
catch (Exception exc)
{
//Fail
Logger.Error(exc);
OnPasswordUpdated(new PasswordUpdatedEventArgs(PasswordUpdateStatus.PasswordResetFailed));
}
}
}
private void cmdChangePassword_Click(object sender, EventArgs e)
{
//1. Check New Password and Confirm are the same
if (txtPassword.Text != txtConfirmPassword.Text)
{
resetMessages.Visible = true;
var failed = Localization.GetString("PasswordMismatch");
LogFailure(failed);
lblHelp.Text = failed;
return;
}
if (UserController.ValidatePassword(txtPassword.Text)==false)
{
resetMessages.Visible = true;
var failed = Localization.GetString("PasswordResetFailed");
LogFailure(failed);
lblHelp.Text = failed;
return;
}
//Check New Password is not same as username or banned
var settings = new MembershipPasswordSettings(User.PortalID);
if (settings.EnableBannedList)
{
var m = new MembershipPasswordController();
if (m.FoundBannedPassword(txtPassword.Text) || txtUsername.Text == txtPassword.Text)
{
resetMessages.Visible = true;
var failed = Localization.GetString("PasswordResetFailed");
LogFailure(failed);
lblHelp.Text = failed;
return;
}
}
if (UserController.ChangePasswordByToken(PortalSettings.PortalId, txtUsername.Text, txtPassword.Text, ResetToken) == false)
{
resetMessages.Visible = true;
var failed = Localization.GetString("PasswordResetFailed", LocalResourceFile);
LogFailure(failed);
lblHelp.Text = failed;
}
else
{
//Log user in to site
LogSuccess();
var loginStatus = UserLoginStatus.LOGIN_FAILURE;
UserController.UserLogin(PortalSettings.PortalId, txtUsername.Text, txtPassword.Text, "", "", "", ref loginStatus, false);
RedirectAfterLogin();
}
}
/// <summary>
/// overload will validate the token and if valid change the password
/// it does not require an old password as it supports hashed passwords
/// </summary>
/// <param name="newPassword">The new password.</param>
/// /// <param name="resetToken">The reset token, typically supplied through a password reset email.</param>
/// <returns>A Boolean indicating success or failure.</returns>
public static bool ChangePasswordByToken(int portalid, string username, string newPassword, string resetToken)
{
bool retValue;
Guid resetTokenGuid = new Guid(resetToken);
var user=GetUserByName(portalid, username);
//if user does not exist return false
if (user==null)
{
return false;
}
//check if the token supplied is the same as the users and is still valid
if (user.PasswordResetToken != resetTokenGuid || user.PasswordResetExpiration < DateTime.Now)
{
return false;
}
var m = new MembershipPasswordController();
if (m.IsPasswordInHistory(user.UserID, user.PortalID, newPassword))
{
return false;
}
//Although we would hope that the caller has already validated the password,
//Validate the new Password
if (ValidatePassword(newPassword))
{
retValue = MembershipProvider.Instance().ResetAndChangePassword(user, newPassword);
//update reset token values to ensure token is 1-time use
user.PasswordResetExpiration = DateTime.MinValue;
user.PasswordResetToken = Guid.NewGuid();
//Update User
user.Membership.UpdatePassword = false;
UpdateUser(user.PortalID, user);
}
else
{
throw new Exception("Invalid Password");
}
return retValue;
}
private void cmdChangePassword_Click(object sender, EventArgs e)
{
string username = txtUsername.Text;
if (MembershipProviderConfig.RequiresQuestionAndAnswer && String.IsNullOrEmpty(txtAnswer.Text))
{
var user = UserController.GetUserByName(username);
if (user != null)
{
lblQuestion.Text = user.Membership.PasswordQuestion;
}
divQA.Visible = true;
return;
}
//1. Check New Password and Confirm are the same
if (txtPassword.Text != txtConfirmPassword.Text)
{
resetMessages.Visible = true;
var failed = Localization.GetString("PasswordMismatch");
LogFailure(failed);
lblHelp.Text = failed;
return;
}
if (UserController.ValidatePassword(txtPassword.Text)==false)
{
resetMessages.Visible = true;
var failed = Localization.GetString("PasswordResetFailed");
LogFailure(failed);
lblHelp.Text = failed;
return;
}
//Check New Password is not same as username or banned
var settings = new MembershipPasswordSettings(User.PortalID);
if (settings.EnableBannedList)
{
var m = new MembershipPasswordController();
if (m.FoundBannedPassword(txtPassword.Text) || txtUsername.Text == txtPassword.Text)
{
resetMessages.Visible = true;
var failed = Localization.GetString("PasswordResetFailed");
LogFailure(failed);
lblHelp.Text = failed;
return;
}
}
if (PortalController.GetPortalSettingAsBoolean("Registration_UseEmailAsUserName", PortalId, false))
{
var testUser = UserController.GetUserByEmail(PortalId, username); // one additonal call to db to see if an account with that email actually exists
if (testUser != null)
{
username = testUser.Username; //we need the username of the account in order to change the password in the next step
}
}
string errorMessage;
string answer = String.Empty;
if (MembershipProviderConfig.RequiresQuestionAndAnswer)
{
answer = txtAnswer.Text;
}
if (UserController.ChangePasswordByToken(PortalSettings.PortalId, username, txtPassword.Text, answer, ResetToken, out errorMessage) == false)
{
resetMessages.Visible = true;
var failed = errorMessage;
LogFailure(failed);
lblHelp.Text = failed;
}
else
{
//check user has a valid profile
var user = UserController.GetUserByName(PortalSettings.PortalId, username);
var validStatus = UserController.ValidateUser(user, PortalSettings.PortalId, false);
if (validStatus == UserValidStatus.UPDATEPROFILE)
{
LogSuccess();
ViewState.Add("PageNo", 3);
Response.Redirect(Globals.NavigateURL(PortalSettings.ActiveTab.TabID, "Login"));
}
else
{
//Log user in to site
LogSuccess();
var loginStatus = UserLoginStatus.LOGIN_FAILURE;
UserController.UserLogin(PortalSettings.PortalId, username, txtPassword.Text, "", "", "", ref loginStatus, false);
RedirectAfterLogin();
}
}
}
private bool GetPasswordHistory(string password)
{
//use default algorithm (SHA1CryptoServiceProvider )
HashAlgorithm ha = HashAlgorithm.Create();
bool foundMatch = false;
var t = new MembershipPasswordController();
List<PasswordHistory> history = t.GetPasswordHistory();
foreach (var ph in history)
{
string oldEncodedPassword = ph.Password;
string oldEncodedSalt = ph.PasswordSalt;
byte[] oldSalt = Convert.FromBase64String(oldEncodedSalt);
byte[] bytePassword = Encoding.Unicode.GetBytes(password);
byte[] inputBuffer = new byte[bytePassword.Length + 16];
Buffer.BlockCopy(bytePassword, 0, inputBuffer, 0, bytePassword.Length);
Buffer.BlockCopy(oldSalt, 0, inputBuffer, bytePassword.Length, 16);
byte[] bhashedPassword = ha.ComputeHash(inputBuffer);
string hashedPassword = Convert.ToBase64String(bhashedPassword);
if (hashedPassword == oldEncodedPassword)
foundMatch = true;
}
return foundMatch;
}
private bool Validate()
{
CreateStatus = UserCreateStatus.AddUser;
var portalSecurity = new PortalSecurity();
//Check User Editor
bool _IsValid = userForm.IsValid;
if (RegistrationFormType == 0)
{
//Update UserName
if (UseEmailAsUserName)
{
User.Username = User.Email;
if (String.IsNullOrEmpty(User.DisplayName))
{
User.DisplayName = User.Email.Substring(0, User.Email.IndexOf("@", StringComparison.Ordinal));
}
}
//Check Password is valid
if (!RandomPassword)
{
//Check Password is Valid
if (CreateStatus == UserCreateStatus.AddUser && !UserController.ValidatePassword(User.Membership.Password))
{
CreateStatus = UserCreateStatus.InvalidPassword;
}
if (RequirePasswordConfirm && String.IsNullOrEmpty(AuthenticationType))
{
if (User.Membership.Password != User.Membership.PasswordConfirm)
{
CreateStatus = UserCreateStatus.PasswordMismatch;
}
}
}
else
{
//Generate a random password for the user
User.Membership.Password = UserController.GeneratePassword();
User.Membership.PasswordConfirm = User.Membership.Password;
}
}
else
{
//Set Username to Email
if (String.IsNullOrEmpty(User.Username))
{
User.Username = User.Email;
}
//Set DisplayName
if (String.IsNullOrEmpty(User.DisplayName))
{
User.DisplayName = String.IsNullOrEmpty(User.FirstName + " " + User.LastName)
? User.Email.Substring(0, User.Email.IndexOf("@", StringComparison.Ordinal))
: User.FirstName + " " + User.LastName;
}
//Random Password
if (String.IsNullOrEmpty(User.Membership.Password))
{
//Generate a random password for the user
User.Membership.Password = UserController.GeneratePassword();
}
//Password Confirm
if (!String.IsNullOrEmpty(User.Membership.PasswordConfirm))
{
if (User.Membership.Password != User.Membership.PasswordConfirm)
{
CreateStatus = UserCreateStatus.PasswordMismatch;
}
}
}
//Validate banned password
var settings = new MembershipPasswordSettings(User.PortalID);
if (settings.EnableBannedList)
{
var m = new MembershipPasswordController();
if (m.FoundBannedPassword(User.Membership.Password) || User.Username==User.Membership.Password)
{
CreateStatus = UserCreateStatus.BannedPasswordUsed;
}
}
//Validate Profanity
if (UseProfanityFilter)
{
if (!portalSecurity.ValidateInput(User.Username, PortalSecurity.FilterFlag.NoProfanity))
{
CreateStatus = UserCreateStatus.InvalidUserName;
}
if (!String.IsNullOrEmpty(User.DisplayName))
{
if (!portalSecurity.ValidateInput(User.DisplayName, PortalSecurity.FilterFlag.NoProfanity))
{
CreateStatus = UserCreateStatus.InvalidDisplayName;
}
}
}
//Validate Unique User Name
UserInfo user = UserController.GetUserByName(PortalId, User.Username);
if (user != null)
{
if(UseEmailAsUserName)
{
CreateStatus = UserCreateStatus.DuplicateEmail;
}
else
{
CreateStatus = UserCreateStatus.DuplicateUserName;
int i = 1;
string userName = null;
while (user != null)
{
userName = User.Username + "0" + i.ToString(CultureInfo.InvariantCulture);
user = UserController.GetUserByName(PortalId, userName);
i++;
}
User.Username = userName;
}
}
//Validate Unique Display Name
if (CreateStatus == UserCreateStatus.AddUser && RequireUniqueDisplayName)
{
user = UserController.Instance.GetUserByDisplayname(PortalId, User.DisplayName);
if (user != null)
{
CreateStatus = UserCreateStatus.DuplicateDisplayName;
int i = 1;
string displayName = null;
while (user != null)
{
displayName = User.DisplayName + " 0" + i.ToString(CultureInfo.InvariantCulture);
user = UserController.Instance.GetUserByDisplayname(PortalId, displayName);
i++;
}
User.DisplayName = displayName;
}
}
//Check Question/Answer
if (CreateStatus == UserCreateStatus.AddUser && MembershipProviderConfig.RequiresQuestionAndAnswer)
{
if (string.IsNullOrEmpty(User.Membership.PasswordQuestion))
{
//Invalid Question
CreateStatus = UserCreateStatus.InvalidQuestion;
}
if (CreateStatus == UserCreateStatus.AddUser)
{
if (string.IsNullOrEmpty(User.Membership.PasswordAnswer))
{
//Invalid Question
CreateStatus = UserCreateStatus.InvalidAnswer;
}
}
}
if (CreateStatus != UserCreateStatus.AddUser)
{
_IsValid = false;
}
return _IsValid;
}
