Exemplo n.º 1
0
        /// <summary>
        ///     Updates a user's password.
        ///     Call this from inherited controller so that you can
        ///     apply custom attributes / routes with custom protection.
        /// </summary>
        protected IHttpActionResult _UpdatePassword([FromBody] UpdatePasswordParams upp)
        {
            return(ExecuteValidatedAction(() =>
            {
                ValidatorHelpers.ValidateAndThrow(upp, new UpdatePasswordValidator());
                var user = AuthService.ValidateLogin(upp.AuthUserId, upp.OldPassword);
                if (user == null)
                {
                    return ImATeapot();
                }

                AuthService.UpdatePassword(user, upp.Password);
                RoleManager.StampAuthUser(upp.AuthUserId); // require other tokens to refresh
                return Ok();
            }));
        }
Exemplo n.º 2
0
        [Bypass(true)] // don't require user privileges to edit, if self only
        public IHttpActionResult UpdatePassword([FromBody] UpdatePasswordParams upp)
        {
            if (upp == null || upp.AuthUserId == 0)
            {
                return(BadRequest());
            }

            // this one is tricky. make sure that the user is editing self, or that
            // they have claims. Can't really force one or the other on the route itself since we're
            // not passing in (or guaranteed to pass in) the userId that matches authUser, so this method
            // should be bypassed from claims attributes check and manually inspected here.
            int  tokenAuthId = int.Parse(this.GetAuthUserId());
            bool ok          = tokenAuthId == upp.AuthUserId; // see if editing self

            if (!ok)                                          // not editing self: check permission / claims
            {
                var requestUser = (ClaimsPrincipal)this.GetOwinResolver().GetOwinContext().Request.User;
                ok = RestrictAttribute.CheckClaim(requestUser, ClaimTypes.Users, ClaimValues.FullAccess);
            }

            return(ok ? _UpdatePassword(upp) : Unauthorized());
        }