public AjaxForm GetRoleEditForm(Guid? roleID) { SecurityProvider.Role role; if (roleID == null) role = new SecurityProvider.Role(); else { role = SecurityProvider.Role.Load(roleID.Value); if (role == null) throw new AjaxException("The requested role does not exist in the database."); if (role.Locked) throw new AjaxException("This is a system role and cannot be modified."); } AjaxForm form = new AjaxForm("RoleEditForm"); form.RecordID = roleID; AjaxFormFieldBlock block = new AjaxFormFieldBlock("RoleDetails", "Role Details"); block.Add(new AjaxFormInputField("Role Name", "Name", 100, role.Locked, null, null, role.Name, null, "function(value){{if(value.length==0) return 'A name is required'; return null;}}", true, 0)); block.Add(new AjaxFormCheckboxField("Role is enabled", "Enabled", role.Enabled, role.Locked, null, null, false, 1)); block.Rank = 0; form.FieldBlocks.Add(block); List<Guid> roleDescendents = new List<Guid>(); IDbCommand cmd = Database.Main.CreateCommand("ListDescendentRoles", CommandType.StoredProcedure); Database.Main.AddParameter(cmd, "@RoleID", role.RoleID); DataSet ds = Database.Main.GetDataSet(cmd); foreach (DataRow row in ds.Tables[0].Rows) roleDescendents.Add((Guid)row["RoleID"]); cmd = Database.Main.CreateCommand("ListRoleToRoleAssignmentStates", CommandType.StoredProcedure); Database.Main.AddParameter(cmd, "@RoleID", role.RoleID); ds = Database.Main.GetDataSet(cmd); block = new AjaxFormFieldBlock("Roles", "Roles that this role should adopt"); block.Rank = 1; int c = 0; foreach (DataRow row in ds.Tables[0].Rows) if (CurrentUser.HasPermission(row["RoleCode"].ToString()) && !roleDescendents.Contains((Guid)row["RoleID"])) block.Add(new AjaxFormCheckboxField( row["Name"].ToString(), row["RoleCode"].ToString(), (bool)row["Inherited"], role.Locked, null, null, false, c++)); if (block.Count > 0) form.FieldBlocks.Add(block); cmd = Database.Main.CreateCommand("ListPermissionValuesForRole", CommandType.StoredProcedure); Database.Main.AddParameter(cmd, "@RoleID", role.RoleID); Database.Main.AddParameter(cmd, "@ShowAllPermissions", true); ds = Database.Main.GetDataSet(cmd); block = new AjaxFormFieldBlock("Permissions", "Permission Settings"); c = 0; foreach (DataRow row in ds.Tables[0].Rows) if (CurrentUser.HasPermission(row["PermissionTypeCode"].ToString())) block.Add(new AjaxFormCheckboxField( row["Description"].ToString(), row["PermissionTypeCode"].ToString(), row["Value"] == DBNull.Value ? false : (bool)row["Value"], role.Locked, null, null, false, c++)); AjaxFormButtonGroup buttons = new AjaxFormButtonGroup(); block.Rank = 2; buttons.Rank = 10000; buttons.AddSubmitButton(null, "Save", "SecurityInterface.OnRoleSaved", null); if (roleID != null) if (!role.Locked) buttons.AddButton(null, "Delete", "SecurityInterface.DeleteRole('" + roleID.ToString() + "')"); buttons.AddButton(null, "Cancel", "$('security-permissionlist').innerHTML = '';"); block.Add(buttons); if (block.Count > 0) form.FieldBlocks.Add(block); return form; }
void OnSaveForm(AjaxFormSubmittedValues form) { switch (form.FormName) { case "UserEditForm": if(!WebSecurity.CurrentUser.VerifyPermission(SecurityProvider.PermissionTypeCodes.UserAdministrator)) return; AjaxFormSubmittedValues.Block block = form.Blocks["MainUserFields"]; string pw = block.Fields["Password"].Value; bool enabled = block.Fields["Enabled"].Value == "True"; if (pw.Length == 0) pw = null; SecurityProvider.User user; if (form.RecordID == null) { user = new SecurityProvider.User( WebsiteClient.ClientID, block.Fields["Username"].Value, pw, block.Fields["FirstName"].Value, block.Fields["Surname"].Value, block.Fields["Email"].Value, enabled, false, false); user.Save(); if (OnUserSaved != null) OnUserSaved(form, user); form.RecordID = user.UserID; } else { user = SecurityProvider.User.Load(form.RecordID.Value); if (!CurrentUser.CanModifyUser(user)) throw new AjaxException("You don't have access to modify that user."); user.Username = block.Fields["Username"].Value; if (pw != null) user.Password = pw; user.FirstName = block.Fields["FirstName"].Value; user.Surname = block.Fields["Surname"].Value; user.Email = block.Fields["Email"].Value; user.Enabled = enabled; user.Save(); if (OnUserSaved != null) OnUserSaved(form, user); if (user.Locked) return; // don't muck with permissions/roles } StringBuilder sql = new StringBuilder(); if (user.Username != CurrentUser.Username) // users can't alter their own permissions { if (form.Blocks.ContainsKey("Roles")) foreach (KeyValuePair<string, AjaxFormSubmittedValues.Field> kvp in form.Blocks["Roles"].Fields) if (WebSecurity.CurrentUser.HasRole(kvp.Value.Name)) //make sure the logged in user has the right to assign this role if (kvp.Value.Value == "True") sql.AppendFormat("exec AssignUserToRole '{0}', '{1}'\r\n", user.UserID, kvp.Value.Name.Replace("'", "''")); if (form.Blocks.ContainsKey("Permissions")) foreach (KeyValuePair<string, AjaxFormSubmittedValues.Field> kvp in form.Blocks["Permissions"].Fields) if (WebSecurity.CurrentUser.HasRole(kvp.Value.Name)) //make sure the logged in user has the right to assign this role if (kvp.Value.Value == "True") sql.AppendFormat("exec AssignPermission '{0}', null, '{1}'\r\n", kvp.Value.Name.Replace("'", "''"), user.UserID); if (sql.Length == 0) return; user.RevokeRolesAndPermissions(); // revoke any pre-existing permissions/roles before we assign the new ones Database.Main.CreateCommand(sql.ToString(), CommandType.Text).ExecuteNonQuery(); } break; case "RoleEditForm": if (!WebSecurity.CurrentUser.VerifyPermission(SecurityProvider.PermissionTypeCodes.UserAdministrator)) return; block = form.Blocks["RoleDetails"]; string name = block.Fields["Name"].Value; enabled = block.Fields["Enabled"].Value == "True"; SecurityProvider.Role role; if (form.RecordID == null) { role = new SecurityProvider.Role(); role.RoleCode = role.RoleID.ToString(); // role codes are only used by system roles role.ClientID = defaultClient.ClientID; } else { role = SecurityProvider.Role.Load(form.RecordID.Value); if (role == null) return; if (role.Locked) return; // locked roles aren't supposed to be edited by users } role.Name = name; role.Enabled = enabled; ((SecurityProvider)Core.Instance["SecurityProvider"]).SaveRole(role); sql = new StringBuilder(); if (form.Blocks.ContainsKey("Roles")) foreach (KeyValuePair<string, AjaxFormSubmittedValues.Field> kvp in form.Blocks["Roles"].Fields) if (WebSecurity.CurrentUser.HasRole(kvp.Value.Name)) //make sure the logged in user has the right to assign this role if (kvp.Value.Value == "True") sql.AppendFormat("exec InheritRoleFrom '{0}', '{1}'\r\n", role.RoleID, kvp.Value.Name.Replace("'", "''")); if (form.Blocks.ContainsKey("Permissions")) foreach (KeyValuePair<string, AjaxFormSubmittedValues.Field> kvp in form.Blocks["Permissions"].Fields) if (WebSecurity.CurrentUser.HasRole(kvp.Value.Name)) //make sure the logged in user has the right to assign this role if (kvp.Value.Value == "True") sql.AppendFormat("exec AssignPermission '{0}', null, '{1}'\r\n", kvp.Value.Name.Replace("'", "''"), role.RoleID); role.RevokeRolesAndPermissions(); // revoke any pre-existing permissions/roles before we assign the new ones if (sql.Length == 0) return; Database.Main.CreateCommand(sql.ToString(), CommandType.Text).ExecuteNonQuery(); break; } }