public Result SendPasswordReminder(Guid userID) { SecurityProvider.User user = SecurityProvider.User.Load(userID); try { user.SendPasswordReminder(WebUtility.CacheTextFile("resources/passwordreminder.email.txt")); return(new Result()); } catch (Exception ex) { return(new Result(ex.Message)); } }
public Result DeleteUser(Guid userID) { SecurityProvider.User user = SecurityProvider.User.Load(userID); if (!CurrentUser.CanModifyUser(user)) { return(new Result("You don't have permission to modify this user.")); } if (user.Locked) { return(new Result("This user cannot be deleted.")); } return(((SecurityProvider)SystemCore.Instance["SecurityProvider"]).DeleteUser(user)); }
void OnAdminRequest(AdminInterface admin, string sprocketPath, string[] pathSections, HandleFlag handled) { // build the "current user" block WebAuthentication auth = (WebAuthentication)Core.Instance["WebAuthentication"]; SecurityProvider.User user = SecurityProvider.User.Load(WebsiteClientID, auth.CurrentUsername); string block = "<div id=\"currentuser-block\">" + "You are currently logged in as <b>{0}</b>." + "</div>"; admin.AddLeftColumnSection(new RankedString( string.Format(block, (user.FirstName + " " + user.Surname).Trim()), -100)); admin.WebsiteName = WebsiteClient.Name; if (!CurrentUser.HasPermission(SecurityProvider.PermissionTypeCodes.UserAdministrator)) { return; } admin.AddMainMenuLink(new AdminMenuLink("Users and Roles", WebUtility.MakeFullPath("admin/security"), 0)); // build the security interface if it has been requested if (sprocketPath.StartsWith("admin/security")) { handled.Set(); int defaultMaxFilterMatches; try { defaultMaxFilterMatches = int.Parse(SprocketSettings.GetValue("WebSecurityDefaultUserFilterMatches")); } catch { defaultMaxFilterMatches = 50; } admin.AddInterfaceScript(WebControlScript.TabStrip); admin.AddInterfaceScript(WebControlScript.Fader); admin.AddInterfaceScript(WebControlScript.AjaxForm); string scr = ResourceLoader.LoadTextResource("Sprocket.Web.CMS.Security.security.js") .Replace("50,//{defaultMaxFilterMatches}", defaultMaxFilterMatches.ToString() + ",") .Replace("if(true)//{ifUserCanAccessRoleManagement}", CurrentUser.HasPermission("ROLEADMINISTRATOR") ? "" : "if(false)"); admin.AddInterfaceScript(new RankedString(scr, 0)); admin.AddBodyOnLoadScript(new RankedString("SecurityInterface.Run()", 0)); admin.ContentHeading = "Users and Roles"; SecurityProvider security = (SecurityProvider)Core.Instance["SecurityProvider"]; string html = "<div id=\"user-admin-container\"></div>"; admin.AddContentSection(new RankedString(html, 0)); admin.AddHeadSection(new RankedString("<link rel=\"stylesheet\" type=\"text/css\" href=\"" + WebUtility.MakeFullPath("resources/admin/security.css") + "\" />", 0)); } }
public void FillStandardUserFormBlock(AjaxFormFieldBlock block, SecurityProvider.User user, bool plainTextPassword, bool multilingual, bool requireFullName, bool allowUsernameEditing) { bool newUser = user == null; string labelUsername = multilingual ? "{?form-label-username?}" : "Username"; string labelPassword = multilingual ? "{?form-label-password?}" : "Password"; string labelFirstName = multilingual ? "{?form-label-firstname?}" : "FirstName"; string labelSurname = multilingual ? "{?form-label-surname?}" : "Surname"; string labelEmail = multilingual ? "{?form-label-email?}" : "Email"; string errNoUsername = multilingual ? "{?form-error-require-username?}" : "Please enter a username"; string errNoFirstName = multilingual ? "{?form-error-require-firstname?}" : "Please enter your first name"; string errNoSurname = multilingual ? "{?form-error-require-surname?}" : "Please enter your surname"; string errNoEmail = multilingual ? "{?form-error-require-email?}" : "Please enter your email address"; string errNoPassword = multilingual ? "{?form-error-require-password?}" : "Please enter your email password"; string fErr = "function(value){{if(value.length==0) return '{0}'; return null;}}"; string pErr = !newUser ? null : string.Format(fErr, errNoPassword); string fnErr = !requireFullName ? null : string.Format(fErr, errNoFirstName); string snErr = !requireFullName ? null : string.Format(fErr, errNoSurname); if (newUser) { user = new SecurityProvider.User(); } bool locked = user.Locked; if (allowUsernameEditing) { block.Add(new AjaxFormInputField(labelUsername, "Username", 50, locked, null, "width:150px;", user.Username, null, string.Format(fErr, errNoUsername), true, 0)); } if (plainTextPassword) { block.Add(new AjaxFormInputField(labelPassword, "Password", 50, false, null, "width:150px;", null, null, pErr, true, 1)); } else { block.Add(new AjaxFormPasswordField(labelPassword, 50, null, "width:73px", 1, multilingual, newUser, !newUser)); } block.Add(new AjaxFormInputField(labelFirstName, "FirstName", 50, false, null, "width:150px;", user.FirstName, null, fnErr, true, 2)); block.Add(new AjaxFormInputField(labelSurname, "Surname", 50, false, null, "width:150px;", user.Surname, null, snErr, true, 3)); block.Add(new AjaxFormInputField(labelEmail, "Email", 100, false, null, "width:150px;", user.Email, null, string.Format(fErr, errNoEmail), true, 4)); }
void OnSaveForm(AjaxFormSubmittedValues form) { switch (form.FormName) { case "UserEditForm": if (!WebSecurity.CurrentUser.VerifyPermission(SecurityProvider.PermissionTypeCodes.UserAdministrator)) { return; } AjaxFormSubmittedValues.Block block = form.Blocks["MainUserFields"]; string pw = block.Fields["Password"].Value; bool enabled = block.Fields["Enabled"].Value == "True"; if (pw.Length == 0) { pw = null; } SecurityProvider.User user; if (form.RecordID == null) { user = new SecurityProvider.User( WebsiteClient.ClientID, block.Fields["Username"].Value, pw, block.Fields["FirstName"].Value, block.Fields["Surname"].Value, block.Fields["Email"].Value, enabled, false, false); user.Save(); if (OnUserSaved != null) { OnUserSaved(form, user); } form.RecordID = user.UserID; } else { user = SecurityProvider.User.Load(form.RecordID.Value); if (!CurrentUser.CanModifyUser(user)) { throw new AjaxException("You don't have access to modify that user."); } user.Username = block.Fields["Username"].Value; if (pw != null) { user.Password = pw; } user.FirstName = block.Fields["FirstName"].Value; user.Surname = block.Fields["Surname"].Value; user.Email = block.Fields["Email"].Value; user.Enabled = enabled; user.Save(); if (OnUserSaved != null) { OnUserSaved(form, user); } if (user.Locked) { return; // don't muck with permissions/roles } } StringBuilder sql = new StringBuilder(); if (user.Username != CurrentUser.Username) // users can't alter their own permissions { if (form.Blocks.ContainsKey("Roles")) { foreach (KeyValuePair <string, AjaxFormSubmittedValues.Field> kvp in form.Blocks["Roles"].Fields) { if (WebSecurity.CurrentUser.HasRole(kvp.Value.Name)) //make sure the logged in user has the right to assign this role { if (kvp.Value.Value == "True") { sql.AppendFormat("exec AssignUserToRole '{0}', '{1}'\r\n", user.UserID, kvp.Value.Name.Replace("'", "''")); } } } } if (form.Blocks.ContainsKey("Permissions")) { foreach (KeyValuePair <string, AjaxFormSubmittedValues.Field> kvp in form.Blocks["Permissions"].Fields) { if (WebSecurity.CurrentUser.HasRole(kvp.Value.Name)) //make sure the logged in user has the right to assign this role { if (kvp.Value.Value == "True") { sql.AppendFormat("exec AssignPermission '{0}', null, '{1}'\r\n", kvp.Value.Name.Replace("'", "''"), user.UserID); } } } } if (sql.Length == 0) { return; } user.RevokeRolesAndPermissions(); // revoke any pre-existing permissions/roles before we assign the new ones Database.Main.CreateCommand(sql.ToString(), CommandType.Text).ExecuteNonQuery(); } break; case "RoleEditForm": if (!WebSecurity.CurrentUser.VerifyPermission(SecurityProvider.PermissionTypeCodes.UserAdministrator)) { return; } block = form.Blocks["RoleDetails"]; string name = block.Fields["Name"].Value; enabled = block.Fields["Enabled"].Value == "True"; SecurityProvider.Role role; if (form.RecordID == null) { role = new SecurityProvider.Role(); role.RoleCode = role.RoleID.ToString(); // role codes are only used by system roles role.ClientID = defaultClient.ClientID; } else { role = SecurityProvider.Role.Load(form.RecordID.Value); if (role == null) { return; } if (role.Locked) { return; // locked roles aren't supposed to be edited by users } } role.Name = name; role.Enabled = enabled; ((SecurityProvider)SystemCore.Instance["SecurityProvider"]).SaveRole(role); sql = new StringBuilder(); if (form.Blocks.ContainsKey("Roles")) { foreach (KeyValuePair <string, AjaxFormSubmittedValues.Field> kvp in form.Blocks["Roles"].Fields) { if (WebSecurity.CurrentUser.HasRole(kvp.Value.Name)) //make sure the logged in user has the right to assign this role { if (kvp.Value.Value == "True") { sql.AppendFormat("exec InheritRoleFrom '{0}', '{1}'\r\n", role.RoleID, kvp.Value.Name.Replace("'", "''")); } } } } if (form.Blocks.ContainsKey("Permissions")) { foreach (KeyValuePair <string, AjaxFormSubmittedValues.Field> kvp in form.Blocks["Permissions"].Fields) { if (WebSecurity.CurrentUser.HasRole(kvp.Value.Name)) //make sure the logged in user has the right to assign this role { if (kvp.Value.Value == "True") { sql.AppendFormat("exec AssignPermission '{0}', null, '{1}'\r\n", kvp.Value.Name.Replace("'", "''"), role.RoleID); } } } } role.RevokeRolesAndPermissions(); // revoke any pre-existing permissions/roles before we assign the new ones if (sql.Length == 0) { return; } Database.Main.CreateCommand(sql.ToString(), CommandType.Text).ExecuteNonQuery(); break; } }
public SecurityProvider.User SaveStandardUserFormDetails(AjaxFormSubmittedValues form, string blockName, bool?enabled) { AjaxFormSubmittedValues.Block block = form.Blocks[blockName]; string pw; if (block.Fields.ContainsKey("Password1")) { pw = block.Fields["Password1"].Value; } else { pw = block.Fields["Password"].Value; } if (pw.Length == 0) { pw = null; } SecurityProvider.User user; if (form.RecordID == null) { user = new SecurityProvider.User( WebsiteClient.ClientID, block.Fields["Username"].Value, pw, block.Fields["FirstName"].Value, block.Fields["Surname"].Value, block.Fields["Email"].Value, enabled == null ? (block.Fields["Enabled"].Value == "True") : enabled.Value, false, false); if (OnBeforeSaveUser != null) { OnBeforeSaveUser(form, user); } user.Save(); form.RecordID = user.UserID; } else { Guid myuserid = CurrentUser.UserID; // string myoldusername = CurrentUser.Username; user = SecurityProvider.User.Load(form.RecordID.Value); // user.Username = block.Fields["Username"].Value; if (pw != null) { user.Password = pw; } user.FirstName = block.Fields["FirstName"].Value; user.Surname = block.Fields["Surname"].Value; user.Email = block.Fields["Email"].Value; user.Enabled = enabled == null ? (block.Fields["Enabled"].Value == "True") : enabled.Value; if (OnBeforeSaveUser != null) { OnBeforeSaveUser(form, user); } user.Save(); /* we're not going to allow the user to change their username, so this code is commented out * if (myuserid == user.UserID && (pw != null || user.Username != myoldusername)) // changing username or password causes login cookie to become invalid * WebAuthentication.Instance.WriteAuthenticationCookie( * user.Username, * pw != null ? Crypto.EncryptOneWay(pw) : user.PasswordHash, * WebAuthentication.Instance.StoreAjaxAuthKey(user.Username), * 1440); */ } return(user); }
public AjaxForm GetUserEditForm(Guid?userID) { /* business rules: * people with user administration access can only see user accounts that have a subset of the logged-in user's own roles/permissions * user accounts containing roles or permissions that are not possessed by this user can NOT be altered by the current user * the current user can only assign roles or permissions to other users if he/she has that role or permission */ string fErr = "function(value){{if(value.length==0) return 'Please enter a {0}'; return null;}}"; string pErr = userID != null ? null : string.Format(fErr, "password"); string username = null, firstname = null, surname = null, email = null, blockheading = null; bool enabled = true, locked = false; if (userID != null) { SecurityProvider.User user = SecurityProvider.User.Load(userID.Value); if (!CurrentUser.CanModifyUser(user)) { throw new AjaxException("You don't have access to modify that user."); } username = user.Username; firstname = user.FirstName; surname = user.Surname; email = user.Email; enabled = user.Enabled; locked = user.Locked; } blockheading = "User Details"; AjaxForm form = new AjaxForm("UserEditForm"); if (userID != null) { form.RecordID = userID.Value; } AjaxFormFieldBlock block = new AjaxFormFieldBlock("MainUserFields", blockheading); block.Add(new AjaxFormInputField("Username", "Username", 50, locked, null, "width:150px;", username, null, string.Format(fErr, "username"), true, 0)); block.Add(new AjaxFormInputField("Password", "Password", 50, false, null, "width:150px;", null, null, pErr, true, 1)); block.Add(new AjaxFormInputField("First Name", "FirstName", 50, false, null, "width:150px;", firstname, null, null, true, 2)); block.Add(new AjaxFormInputField("Surname", "Surname", 50, false, null, "width:150px;", surname, null, null, true, 3)); block.Add(new AjaxFormInputField("Email", "Email", 100, false, null, "width:150px;", email, null, string.Format(fErr, "valid email address"), true, 4)); block.Add(new AjaxFormCheckboxField("User account is enabled", "Enabled", enabled, locked, null, null, false, 5)); block.Rank = -10000; form.FieldBlocks.Add(block); if (!locked && username != CurrentUser.Username) { block = new AjaxFormFieldBlock("Roles", "Assigned Roles"); block.Rank = 998; IDbCommand cmd = Database.Main.CreateCommand("ListRolePermissionStates", CommandType.StoredProcedure); Database.Main.AddParameter(cmd, "@UserID", userID); DataSet ds = Database.Main.GetDataSet(cmd); int c = 0; foreach (DataRow row in ds.Tables[0].Rows) { // check that the current user has access to assign the specified permission/role if (!CurrentUser.HasRole(row["RoleCode"].ToString())) { continue; } block.Add(new AjaxFormCheckboxField(row["Name"].ToString(), row["RoleCode"].ToString(), (bool)row["HasRole"], false, null, null, false, c++)); } if (c > 0) { form.FieldBlocks.Add(block); } block = new AjaxFormFieldBlock("Permissions", "Specific Assigned Permissions"); block.Rank = 999; c = 0; foreach (DataRow row in ds.Tables[1].Rows) { // check that the current user has access to assign the specified permission/role if (!CurrentUser.HasPermission(row["PermissionTypeCode"].ToString())) { continue; } block.Add(new AjaxFormCheckboxField(row["Description"].ToString(), row["PermissionTypeCode"].ToString(), (bool)row["HasPermission"], false, null, null, false, c++)); } if (c > 0) { form.FieldBlocks.Add(block); } } block = new AjaxFormFieldBlock("SubmitButtons", null); AjaxFormButtonGroup buttons = new AjaxFormButtonGroup(); block.Rank = 10000; buttons.AddSubmitButton(null, "Save", "SecurityInterface.OnUserSaved", null); if (userID != null) { if (!locked) { buttons.AddButton(null, "Delete", "SecurityInterface.DeleteUser('" + userID.ToString() + "')"); } //buttons.AddButton(null, "Send Password", "SecurityInterface.SendPassword('" + userID.ToString() + "')"); buttons.AddButton(null, "Cancel", "SecurityInterface.CancelUserEdit()"); } block.Add(buttons); form.FieldBlocks.Add(block); if (OnUserEditFormLayout != null) { OnUserEditFormLayout(userID, false, form); } return(form); }