Exemplo n.º 1
0
 public Result SendPasswordReminder(Guid userID)
 {
     SecurityProvider.User user = SecurityProvider.User.Load(userID);
     try
     {
         user.SendPasswordReminder(WebUtility.CacheTextFile("resources/passwordreminder.email.txt"));
         return(new Result());
     }
     catch (Exception ex)
     {
         return(new Result(ex.Message));
     }
 }
Exemplo n.º 2
0
 public Result DeleteUser(Guid userID)
 {
     SecurityProvider.User user = SecurityProvider.User.Load(userID);
     if (!CurrentUser.CanModifyUser(user))
     {
         return(new Result("You don't have permission to modify this user."));
     }
     if (user.Locked)
     {
         return(new Result("This user cannot be deleted."));
     }
     return(((SecurityProvider)SystemCore.Instance["SecurityProvider"]).DeleteUser(user));
 }
Exemplo n.º 3
0
        void OnAdminRequest(AdminInterface admin, string sprocketPath, string[] pathSections, HandleFlag handled)
        {
            // build the "current user" block
            WebAuthentication auth = (WebAuthentication)Core.Instance["WebAuthentication"];

            SecurityProvider.User user = SecurityProvider.User.Load(WebsiteClientID, auth.CurrentUsername);
            string block = "<div id=\"currentuser-block\">"
                           + "You are currently logged in as <b>{0}</b>."
                           + "</div>";

            admin.AddLeftColumnSection(new RankedString(
                                           string.Format(block, (user.FirstName + " " + user.Surname).Trim()), -100));

            admin.WebsiteName = WebsiteClient.Name;

            if (!CurrentUser.HasPermission(SecurityProvider.PermissionTypeCodes.UserAdministrator))
            {
                return;
            }

            admin.AddMainMenuLink(new AdminMenuLink("Users and Roles", WebUtility.MakeFullPath("admin/security"), 0));

            // build the security interface if it has been requested
            if (sprocketPath.StartsWith("admin/security"))
            {
                handled.Set();

                int defaultMaxFilterMatches;
                try { defaultMaxFilterMatches = int.Parse(SprocketSettings.GetValue("WebSecurityDefaultUserFilterMatches")); }
                catch { defaultMaxFilterMatches = 50; }

                admin.AddInterfaceScript(WebControlScript.TabStrip);
                admin.AddInterfaceScript(WebControlScript.Fader);
                admin.AddInterfaceScript(WebControlScript.AjaxForm);
                string scr = ResourceLoader.LoadTextResource("Sprocket.Web.CMS.Security.security.js")
                             .Replace("50,//{defaultMaxFilterMatches}", defaultMaxFilterMatches.ToString() + ",")
                             .Replace("if(true)//{ifUserCanAccessRoleManagement}",
                                      CurrentUser.HasPermission("ROLEADMINISTRATOR") ? "" : "if(false)");
                admin.AddInterfaceScript(new RankedString(scr, 0));
                admin.AddBodyOnLoadScript(new RankedString("SecurityInterface.Run()", 0));

                admin.ContentHeading = "Users and Roles";
                SecurityProvider security = (SecurityProvider)Core.Instance["SecurityProvider"];

                string html = "<div id=\"user-admin-container\"></div>";

                admin.AddContentSection(new RankedString(html, 0));
                admin.AddHeadSection(new RankedString("<link rel=\"stylesheet\" type=\"text/css\" href=\""
                                                      + WebUtility.MakeFullPath("resources/admin/security.css") + "\" />", 0));
            }
        }
Exemplo n.º 4
0
        public void FillStandardUserFormBlock(AjaxFormFieldBlock block, SecurityProvider.User user, bool plainTextPassword, bool multilingual, bool requireFullName, bool allowUsernameEditing)
        {
            bool newUser = user == null;

            string labelUsername  = multilingual ? "{?form-label-username?}" : "Username";
            string labelPassword  = multilingual ? "{?form-label-password?}" : "Password";
            string labelFirstName = multilingual ? "{?form-label-firstname?}" : "FirstName";
            string labelSurname   = multilingual ? "{?form-label-surname?}" : "Surname";
            string labelEmail     = multilingual ? "{?form-label-email?}" : "Email";

            string errNoUsername  = multilingual ? "{?form-error-require-username?}" : "Please enter a username";
            string errNoFirstName = multilingual ? "{?form-error-require-firstname?}" : "Please enter your first name";
            string errNoSurname   = multilingual ? "{?form-error-require-surname?}" : "Please enter your surname";
            string errNoEmail     = multilingual ? "{?form-error-require-email?}" : "Please enter your email address";
            string errNoPassword  = multilingual ? "{?form-error-require-password?}" : "Please enter your email password";

            string fErr  = "function(value){{if(value.length==0) return '{0}'; return null;}}";
            string pErr  = !newUser ? null : string.Format(fErr, errNoPassword);
            string fnErr = !requireFullName ? null : string.Format(fErr, errNoFirstName);
            string snErr = !requireFullName ? null : string.Format(fErr, errNoSurname);

            if (newUser)
            {
                user = new SecurityProvider.User();
            }
            bool locked = user.Locked;

            if (allowUsernameEditing)
            {
                block.Add(new AjaxFormInputField(labelUsername, "Username", 50, locked, null, "width:150px;", user.Username, null, string.Format(fErr, errNoUsername), true, 0));
            }
            if (plainTextPassword)
            {
                block.Add(new AjaxFormInputField(labelPassword, "Password", 50, false, null, "width:150px;", null, null, pErr, true, 1));
            }
            else
            {
                block.Add(new AjaxFormPasswordField(labelPassword, 50, null, "width:73px", 1, multilingual, newUser, !newUser));
            }
            block.Add(new AjaxFormInputField(labelFirstName, "FirstName", 50, false, null, "width:150px;", user.FirstName, null, fnErr, true, 2));
            block.Add(new AjaxFormInputField(labelSurname, "Surname", 50, false, null, "width:150px;", user.Surname, null, snErr, true, 3));
            block.Add(new AjaxFormInputField(labelEmail, "Email", 100, false, null, "width:150px;", user.Email, null, string.Format(fErr, errNoEmail), true, 4));
        }
Exemplo n.º 5
0
        void OnSaveForm(AjaxFormSubmittedValues form)
        {
            switch (form.FormName)
            {
            case "UserEditForm":
                if (!WebSecurity.CurrentUser.VerifyPermission(SecurityProvider.PermissionTypeCodes.UserAdministrator))
                {
                    return;
                }
                AjaxFormSubmittedValues.Block block = form.Blocks["MainUserFields"];
                string pw      = block.Fields["Password"].Value;
                bool   enabled = block.Fields["Enabled"].Value == "True";
                if (pw.Length == 0)
                {
                    pw = null;
                }
                SecurityProvider.User user;

                if (form.RecordID == null)
                {
                    user = new SecurityProvider.User(
                        WebsiteClient.ClientID,
                        block.Fields["Username"].Value,
                        pw,
                        block.Fields["FirstName"].Value,
                        block.Fields["Surname"].Value,
                        block.Fields["Email"].Value,
                        enabled,
                        false, false);
                    user.Save();
                    if (OnUserSaved != null)
                    {
                        OnUserSaved(form, user);
                    }

                    form.RecordID = user.UserID;
                }
                else
                {
                    user = SecurityProvider.User.Load(form.RecordID.Value);
                    if (!CurrentUser.CanModifyUser(user))
                    {
                        throw new AjaxException("You don't have access to modify that user.");
                    }
                    user.Username = block.Fields["Username"].Value;
                    if (pw != null)
                    {
                        user.Password = pw;
                    }
                    user.FirstName = block.Fields["FirstName"].Value;
                    user.Surname   = block.Fields["Surname"].Value;
                    user.Email     = block.Fields["Email"].Value;
                    user.Enabled   = enabled;
                    user.Save();
                    if (OnUserSaved != null)
                    {
                        OnUserSaved(form, user);
                    }

                    if (user.Locked)
                    {
                        return;                                          // don't muck with permissions/roles
                    }
                }

                StringBuilder sql = new StringBuilder();
                if (user.Username != CurrentUser.Username)                         // users can't alter their own permissions
                {
                    if (form.Blocks.ContainsKey("Roles"))
                    {
                        foreach (KeyValuePair <string, AjaxFormSubmittedValues.Field> kvp in form.Blocks["Roles"].Fields)
                        {
                            if (WebSecurity.CurrentUser.HasRole(kvp.Value.Name))                                     //make sure the logged in user has the right to assign this role
                            {
                                if (kvp.Value.Value == "True")
                                {
                                    sql.AppendFormat("exec AssignUserToRole '{0}', '{1}'\r\n", user.UserID, kvp.Value.Name.Replace("'", "''"));
                                }
                            }
                        }
                    }
                    if (form.Blocks.ContainsKey("Permissions"))
                    {
                        foreach (KeyValuePair <string, AjaxFormSubmittedValues.Field> kvp in form.Blocks["Permissions"].Fields)
                        {
                            if (WebSecurity.CurrentUser.HasRole(kvp.Value.Name))                                     //make sure the logged in user has the right to assign this role
                            {
                                if (kvp.Value.Value == "True")
                                {
                                    sql.AppendFormat("exec AssignPermission '{0}', null, '{1}'\r\n", kvp.Value.Name.Replace("'", "''"), user.UserID);
                                }
                            }
                        }
                    }
                    if (sql.Length == 0)
                    {
                        return;
                    }

                    user.RevokeRolesAndPermissions();                             // revoke any pre-existing permissions/roles before we assign the new ones
                    Database.Main.CreateCommand(sql.ToString(), CommandType.Text).ExecuteNonQuery();
                }
                break;

            case "RoleEditForm":
                if (!WebSecurity.CurrentUser.VerifyPermission(SecurityProvider.PermissionTypeCodes.UserAdministrator))
                {
                    return;
                }
                block = form.Blocks["RoleDetails"];
                string name = block.Fields["Name"].Value;
                enabled = block.Fields["Enabled"].Value == "True";
                SecurityProvider.Role role;
                if (form.RecordID == null)
                {
                    role          = new SecurityProvider.Role();
                    role.RoleCode = role.RoleID.ToString();                             // role codes are only used by system roles
                    role.ClientID = defaultClient.ClientID;
                }
                else
                {
                    role = SecurityProvider.Role.Load(form.RecordID.Value);
                    if (role == null)
                    {
                        return;
                    }
                    if (role.Locked)
                    {
                        return;                                          // locked roles aren't supposed to be edited by users
                    }
                }
                role.Name    = name;
                role.Enabled = enabled;
                ((SecurityProvider)SystemCore.Instance["SecurityProvider"]).SaveRole(role);

                sql = new StringBuilder();
                if (form.Blocks.ContainsKey("Roles"))
                {
                    foreach (KeyValuePair <string, AjaxFormSubmittedValues.Field> kvp in form.Blocks["Roles"].Fields)
                    {
                        if (WebSecurity.CurrentUser.HasRole(kvp.Value.Name))                                 //make sure the logged in user has the right to assign this role
                        {
                            if (kvp.Value.Value == "True")
                            {
                                sql.AppendFormat("exec InheritRoleFrom '{0}', '{1}'\r\n", role.RoleID, kvp.Value.Name.Replace("'", "''"));
                            }
                        }
                    }
                }
                if (form.Blocks.ContainsKey("Permissions"))
                {
                    foreach (KeyValuePair <string, AjaxFormSubmittedValues.Field> kvp in form.Blocks["Permissions"].Fields)
                    {
                        if (WebSecurity.CurrentUser.HasRole(kvp.Value.Name))                                 //make sure the logged in user has the right to assign this role
                        {
                            if (kvp.Value.Value == "True")
                            {
                                sql.AppendFormat("exec AssignPermission '{0}', null, '{1}'\r\n", kvp.Value.Name.Replace("'", "''"), role.RoleID);
                            }
                        }
                    }
                }

                role.RevokeRolesAndPermissions();                         // revoke any pre-existing permissions/roles before we assign the new ones
                if (sql.Length == 0)
                {
                    return;
                }
                Database.Main.CreateCommand(sql.ToString(), CommandType.Text).ExecuteNonQuery();
                break;
            }
        }
Exemplo n.º 6
0
        public SecurityProvider.User SaveStandardUserFormDetails(AjaxFormSubmittedValues form, string blockName, bool?enabled)
        {
            AjaxFormSubmittedValues.Block block = form.Blocks[blockName];
            string pw;

            if (block.Fields.ContainsKey("Password1"))
            {
                pw = block.Fields["Password1"].Value;
            }
            else
            {
                pw = block.Fields["Password"].Value;
            }
            if (pw.Length == 0)
            {
                pw = null;
            }

            SecurityProvider.User user;
            if (form.RecordID == null)
            {
                user = new SecurityProvider.User(
                    WebsiteClient.ClientID,
                    block.Fields["Username"].Value,
                    pw,
                    block.Fields["FirstName"].Value,
                    block.Fields["Surname"].Value,
                    block.Fields["Email"].Value,
                    enabled == null ? (block.Fields["Enabled"].Value == "True") : enabled.Value,
                    false, false);
                if (OnBeforeSaveUser != null)
                {
                    OnBeforeSaveUser(form, user);
                }
                user.Save();
                form.RecordID = user.UserID;
            }
            else
            {
                Guid myuserid = CurrentUser.UserID;
                // string myoldusername = CurrentUser.Username;
                user = SecurityProvider.User.Load(form.RecordID.Value);
                // user.Username = block.Fields["Username"].Value;
                if (pw != null)
                {
                    user.Password = pw;
                }
                user.FirstName = block.Fields["FirstName"].Value;
                user.Surname   = block.Fields["Surname"].Value;
                user.Email     = block.Fields["Email"].Value;
                user.Enabled   = enabled == null ? (block.Fields["Enabled"].Value == "True") : enabled.Value;
                if (OnBeforeSaveUser != null)
                {
                    OnBeforeSaveUser(form, user);
                }
                user.Save();

                /* we're not going to allow the user to change their username, so this code is commented out
                 * if (myuserid == user.UserID && (pw != null || user.Username != myoldusername)) // changing username or password causes login cookie to become invalid
                 *      WebAuthentication.Instance.WriteAuthenticationCookie(
                 *              user.Username,
                 *              pw != null ? Crypto.EncryptOneWay(pw) : user.PasswordHash,
                 *              WebAuthentication.Instance.StoreAjaxAuthKey(user.Username),
                 *              1440); */
            }
            return(user);
        }
Exemplo n.º 7
0
        public AjaxForm GetUserEditForm(Guid?userID)
        {
            /* business rules:
             * people with user administration access can only see user accounts that have a subset of the logged-in user's own roles/permissions
             * user accounts containing roles or permissions that are not possessed by this user can NOT be altered by the current user
             * the current user can only assign roles or permissions to other users if he/she has that role or permission
             */
            string fErr = "function(value){{if(value.length==0) return 'Please enter a {0}'; return null;}}";
            string pErr = userID != null ? null : string.Format(fErr, "password");
            string username = null, firstname = null, surname = null, email = null, blockheading = null;
            bool   enabled = true, locked = false;

            if (userID != null)
            {
                SecurityProvider.User user = SecurityProvider.User.Load(userID.Value);
                if (!CurrentUser.CanModifyUser(user))
                {
                    throw new AjaxException("You don't have access to modify that user.");
                }
                username  = user.Username;
                firstname = user.FirstName;
                surname   = user.Surname;
                email     = user.Email;
                enabled   = user.Enabled;
                locked    = user.Locked;
            }
            blockheading = "User Details";
            AjaxForm form = new AjaxForm("UserEditForm");

            if (userID != null)
            {
                form.RecordID = userID.Value;
            }
            AjaxFormFieldBlock block = new AjaxFormFieldBlock("MainUserFields", blockheading);

            block.Add(new AjaxFormInputField("Username", "Username", 50, locked, null, "width:150px;", username, null, string.Format(fErr, "username"), true, 0));
            block.Add(new AjaxFormInputField("Password", "Password", 50, false, null, "width:150px;", null, null, pErr, true, 1));
            block.Add(new AjaxFormInputField("First Name", "FirstName", 50, false, null, "width:150px;", firstname, null, null, true, 2));
            block.Add(new AjaxFormInputField("Surname", "Surname", 50, false, null, "width:150px;", surname, null, null, true, 3));
            block.Add(new AjaxFormInputField("Email", "Email", 100, false, null, "width:150px;", email, null, string.Format(fErr, "valid email address"), true, 4));
            block.Add(new AjaxFormCheckboxField("User account is enabled", "Enabled", enabled, locked, null, null, false, 5));
            block.Rank = -10000;
            form.FieldBlocks.Add(block);

            if (!locked && username != CurrentUser.Username)
            {
                block      = new AjaxFormFieldBlock("Roles", "Assigned Roles");
                block.Rank = 998;
                IDbCommand cmd = Database.Main.CreateCommand("ListRolePermissionStates", CommandType.StoredProcedure);
                Database.Main.AddParameter(cmd, "@UserID", userID);
                DataSet ds = Database.Main.GetDataSet(cmd);
                int     c  = 0;
                foreach (DataRow row in ds.Tables[0].Rows)
                {
                    // check that the current user has access to assign the specified permission/role
                    if (!CurrentUser.HasRole(row["RoleCode"].ToString()))
                    {
                        continue;
                    }
                    block.Add(new AjaxFormCheckboxField(row["Name"].ToString(), row["RoleCode"].ToString(),
                                                        (bool)row["HasRole"], false, null, null, false, c++));
                }
                if (c > 0)
                {
                    form.FieldBlocks.Add(block);
                }

                block      = new AjaxFormFieldBlock("Permissions", "Specific Assigned Permissions");
                block.Rank = 999;
                c          = 0;
                foreach (DataRow row in ds.Tables[1].Rows)
                {
                    // check that the current user has access to assign the specified permission/role
                    if (!CurrentUser.HasPermission(row["PermissionTypeCode"].ToString()))
                    {
                        continue;
                    }
                    block.Add(new AjaxFormCheckboxField(row["Description"].ToString(), row["PermissionTypeCode"].ToString(),
                                                        (bool)row["HasPermission"], false, null, null, false, c++));
                }
                if (c > 0)
                {
                    form.FieldBlocks.Add(block);
                }
            }
            block = new AjaxFormFieldBlock("SubmitButtons", null);
            AjaxFormButtonGroup buttons = new AjaxFormButtonGroup();

            block.Rank = 10000;
            buttons.AddSubmitButton(null, "Save", "SecurityInterface.OnUserSaved", null);
            if (userID != null)
            {
                if (!locked)
                {
                    buttons.AddButton(null, "Delete", "SecurityInterface.DeleteUser('" + userID.ToString() + "')");
                }
                //buttons.AddButton(null, "Send Password", "SecurityInterface.SendPassword('" + userID.ToString() + "')");
                buttons.AddButton(null, "Cancel", "SecurityInterface.CancelUserEdit()");
            }
            block.Add(buttons);
            form.FieldBlocks.Add(block);

            if (OnUserEditFormLayout != null)
            {
                OnUserEditFormLayout(userID, false, form);
            }

            return(form);
        }