private void SetPassword(Object Sender, EventArgs e) { if (FPreviouslySelectedDetailRow == null) { return; } if (FPetraUtilsObject.HasChanges) { MessageBox.Show( Catalog.GetString("Please save changes before changing password."), Catalog.GetString("Change password."), MessageBoxButtons.OK, MessageBoxIcon.Stop); return; } string username = GetSelectedDetailRow().UserId; string MessageTitle = Catalog.GetString("Set Password"); string ErrorMessage = String.Format(Catalog.GetString("There was a problem setting the password for user {0}."), username); // only request the password once, since this is the sysadmin changing it. // see http://bazaar.launchpad.net/~openpetracore/openpetraorg/trunkhosted/view/head:/csharp/ICT/Petra/Client/MSysMan/Gui/SysManMain.cs // for the change password dialog for the normal user PetraInputBox input = new PetraInputBox( Catalog.GetString("Change the password"), String.Format(Catalog.GetString("Please enter the new password for user {0}:"), username), "", true); if (input.ShowDialog() == DialogResult.OK) { string password = input.GetAnswer(); TVerificationResult VerificationResult; if (TSharedSysManValidation.CheckPasswordQuality(password, out VerificationResult)) { if (TRemote.MSysMan.Maintenance.WebConnectors.SetUserPassword(username, password, true, true)) { MessageBox.Show(String.Format(Catalog.GetString("Password was successfully set for user {0}."), username), MessageTitle, MessageBoxButtons.OK, MessageBoxIcon.Information); // This has been saved on the server so my data is dirty - I need to re-load: FPreviouslySelectedDetailRow = null; Int32 rowIdx = GetSelectedRowIndex(); LoadUsers(); grdDetails.SelectRowInGrid(rowIdx); } else { MessageBox.Show(ErrorMessage, MessageTitle, MessageBoxButtons.OK, MessageBoxIcon.Error); } } else { MessageBox.Show(ErrorMessage + Environment.NewLine + Environment.NewLine + VerificationResult.ResultText, MessageTitle, MessageBoxButtons.OK, MessageBoxIcon.Error); } } }
private void BtnOK_Click(Object Sender, EventArgs e) { string MessageTitle = Catalog.GetString("Set Password"); string ErrorMessage = String.Format(Catalog.GetString("There was a problem setting the password for user {0}."), UserName); if (txtOldPassword.Visible && !TRemote.MSysMan.Maintenance.WebConnectors.PasswordAuthentication(UserName, this.txtOldPassword.Text)) { MessageBox.Show(Catalog.GetString("Incorrect password entered."), MessageTitle, MessageBoxButtons.OK, MessageBoxIcon.Error); } if (txtNewPassword.Text != txtNewPassword2.Text) { MessageBox.Show(Catalog.GetString("Passwords do not match! Please try again..."), MessageTitle, MessageBoxButtons.OK, MessageBoxIcon.Error); return; } if (txtNewPassword.Text == this.txtOldPassword.Text && this.PasswordNeedsChanged) { MessageBox.Show(String.Format(Catalog.GetString( "This password is the same as your old password! Please enter a new password."), UserName), MessageTitle, MessageBoxButtons.OK, MessageBoxIcon.Error); return; } TVerificationResultCollection VerificationResultCollection; TVerificationResult VerificationResult; if (!TSharedSysManValidation.CheckPasswordQuality(txtNewPassword.Text, out VerificationResult)) { MessageBox.Show(ErrorMessage + Environment.NewLine + Environment.NewLine + VerificationResult.ResultText, MessageTitle, MessageBoxButtons.OK, MessageBoxIcon.Error); return; } if (!TRemote.MSysMan.Maintenance.WebConnectors.SetUserPassword(UserName, txtNewPassword.Text, txtOldPassword.Text, PasswordNeedsChanged, out VerificationResultCollection)) { MessageBox.Show(ErrorMessage + Environment.NewLine + Environment.NewLine + VerificationResultCollection.BuildVerificationResultString(), MessageTitle, MessageBoxButtons.OK, MessageBoxIcon.Error); return; } MessageBox.Show(String.Format(Catalog.GetString("Password was successfully set for user {0}."), UserName), MessageTitle); this.DialogResult = DialogResult.OK; }
private void ValidateDataDetailsManual(SUserRow ARow) { if (ARow == null) { return; } TVerificationResultCollection VerificationResultCollection = FPetraUtilsObject.VerificationResultCollection; // validate bank account details TSharedSysManValidation.ValidateSUserDetails(this, ARow, ref VerificationResultCollection, FPetraUtilsObject.ValidationControlsDict); }
private void BtnOK_Click(Object Sender, EventArgs e) { if (txtNewPassword.Text != txtNewPassword2.Text) { MessageBox.Show(Catalog.GetString("Passwords do not match! Please try again...")); return; } if (txtNewPassword.Text == this.txtOldPassword.Text && this.PasswordNeedsChanged) { MessageBox.Show(String.Format(Catalog.GetString( "Password not changed as the old password was reused. Please use a new password."), Catalog.GetString("Error"))); return; } TVerificationResultCollection VerificationResultCollection; TVerificationResult VerificationResult; if (!TSharedSysManValidation.CheckPasswordQuality(txtNewPassword.Text, out VerificationResult)) { MessageBox.Show(String.Format(Catalog.GetString( "There was a problem setting the password for user {0}."), UserName) + Environment.NewLine + VerificationResult.ResultText); return; } if (!TRemote.MSysMan.Maintenance.WebConnectors.SetUserPassword(UserName, txtNewPassword.Text, txtOldPassword.Text, PasswordNeedsChanged, out VerificationResultCollection)) { MessageBox.Show(String.Format(Catalog.GetString( "There was a problem setting the password for user {0}."), UserName) + Environment.NewLine + VerificationResultCollection.BuildVerificationResultString()); return; } MessageBox.Show(String.Format(Catalog.GetString("Password was successfully set for user {0}"), UserName), Catalog.GetString("Success")); this.DialogResult = DialogResult.OK; }
private void SetPassword(Object Sender, EventArgs e) { string username = GetSelectedDetailRow().UserId; // only request the password once, since this is the sysadmin changing it. // see http://bazaar.launchpad.net/~openpetracore/openpetraorg/trunkhosted/view/head:/csharp/ICT/Petra/Client/MSysMan/Gui/SysManMain.cs // for the change password dialog for the normal user PetraInputBox input = new PetraInputBox( Catalog.GetString("Change the password"), String.Format(Catalog.GetString("Please enter the new password for user {0}:"), username), "", true); if (input.ShowDialog() == DialogResult.OK) { string password = input.GetAnswer(); TVerificationResult VerificationResult; if (TSharedSysManValidation.CheckPasswordQuality(password, out VerificationResult)) { if (TRemote.MSysMan.Maintenance.WebConnectors.SetUserPassword(username, password, true, true)) { MessageBox.Show(String.Format(Catalog.GetString("Password was successfully set for user {0}"), username)); // this has already been saved on during the server call to change the password GetSelectedDetailRow().Retired = false; } else { MessageBox.Show(String.Format(Catalog.GetString("There was a problem setting the password for user {0}"), username)); } } else { MessageBox.Show(String.Format(Catalog.GetString( "There was a problem setting the password for user {0}."), username) + Environment.NewLine + VerificationResult.ResultText); } } }
public static bool SetUserPassword(string AUsername, string APassword, string AOldPassword, bool APasswordNeedsChanged, out TVerificationResultCollection AVerification) { TDBTransaction Transaction; string UserAuthenticationMethod = TAppSettingsManager.GetValue("UserAuthenticationMethod", "OpenPetraDBSUser", false); TVerificationResult VerificationResult; AVerification = new TVerificationResultCollection(); if (!TSharedSysManValidation.CheckPasswordQuality(APassword, out VerificationResult)) { return(false); } if (APasswordNeedsChanged && APassword == AOldPassword) { AVerification = new TVerificationResultCollection(); AVerification.Add(new TVerificationResult("\nPassword check.", Catalog.GetString( "Password not changed as the old password was reused. Please use a new password."), TResultSeverity.Resv_Critical)); return(false); } if (UserAuthenticationMethod == "OpenPetraDBSUser") { TPetraPrincipal tempPrincipal; SUserRow UserDR = TUserManagerWebConnector.LoadUser(AUsername.ToUpper(), out tempPrincipal); if (TUserManagerWebConnector.CreateHashOfPassword(String.Concat(AOldPassword, UserDR.PasswordSalt)) != UserDR.PasswordHash) { AVerification = new TVerificationResultCollection(); AVerification.Add(new TVerificationResult("\nPassword quality check.", String.Format( Catalog.GetString( "Old password entered incorrectly. Password not changed.")), TResultSeverity.Resv_Critical)); return(false); } SUserTable UserTable = (SUserTable)UserDR.Table; UserDR.PasswordHash = TUserManagerWebConnector.CreateHashOfPassword(String.Concat(APassword, UserDR.PasswordSalt)); UserDR.PasswordNeedsChange = false; Transaction = DBAccess.GDBAccessObj.BeginTransaction(IsolationLevel.Serializable); try { SUserAccess.SubmitChanges(UserTable, Transaction); DBAccess.GDBAccessObj.CommitTransaction(); } catch (Exception Exc) { TLogging.Log("An Exception occured during the setting of the User Password:" + Environment.NewLine + Exc.ToString()); DBAccess.GDBAccessObj.RollbackTransaction(); throw; } return(true); } else { IUserAuthentication auth = TUserManagerWebConnector.LoadAuthAssembly(UserAuthenticationMethod); return(auth.SetPassword(AUsername, APassword, AOldPassword)); } }
public static bool SetUserPassword(string AUsername, string ANewPassword, bool APasswordNeedsChanged, bool AUnretireIfRetired, string AClientComputerName, string AClientIPAddress, out TVerificationResultCollection AVerification) { TVerificationResult VerificationResult; SUserTable UserTable; SUserRow UserDR; string UserAuthenticationMethod = TAppSettingsManager.GetValue("UserAuthenticationMethod", "OpenPetraDBSUser", false); bool BogusPasswordChangeAttempt = false; AVerification = new TVerificationResultCollection(); // Password quality check if (!TSharedSysManValidation.CheckPasswordQuality(ANewPassword, out VerificationResult)) { AVerification.Add(VerificationResult); return(false); } if (UserAuthenticationMethod == "OpenPetraDBSUser") { TDBTransaction SubmitChangesTransaction = null; bool SubmissionResult = false; TPetraPrincipal tempPrincipal; DBAccess.GDBAccessObj.BeginAutoTransaction(IsolationLevel.Serializable, ref SubmitChangesTransaction, ref SubmissionResult, delegate { try { UserDR = TUserManagerWebConnector.LoadUser(AUsername.ToUpper(), out tempPrincipal, SubmitChangesTransaction); } catch (EUserNotExistantException) { // Because this cannot happen when a password change gets effected through normal OpenPetra // operation this is treated as a bogus operation that an attacker launches! BogusPasswordChangeAttempt = true; // Logging TUserAccountActivityLog.AddUserAccountActivityLogEntry(AUsername, TUserAccountActivityLog.USER_ACTIVITY_PWD_CHANGE_ATTEMPT_BY_SYSADMIN_FOR_NONEXISTING_USER, String.Format(Catalog.GetString( "A system administrator, {0}, made an attempt to change a User's password for UserID {1} " + "but that user doesn't exist! "), UserInfo.GUserInfo.UserID, AUsername) + String.Format(ResourceTexts.StrRequestCallerInfo, AClientComputerName, AClientIPAddress), SubmitChangesTransaction); SubmissionResult = true; // Need to set this so that the DB Transaction gets committed! // Simulate that time is spent on 'authenticating' a user (although the user doesn't exist)...! Reason for that: see Method // SimulatePasswordAuthenticationForNonExistingUser! TUserManagerWebConnector.SimulatePasswordAuthenticationForNonExistingUser(); return; } UserTable = (SUserTable)UserDR.Table; // Note: We are on purpose NOT checking here whether the new password is the same as the existing // password (which would be done by calling the IsNewPasswordSameAsExistingPassword Method) because // if we would do that then the SYSADMIN could try to find out what the password of a user is by // seeing if (s)he would get a message that the new password must be different from the old password...! SetNewPasswordHashAndSaltForUser(UserDR, ANewPassword, AClientComputerName, AClientIPAddress, SubmitChangesTransaction); UserDR.PasswordNeedsChange = APasswordNeedsChanged; // 'Unretire' the user if the user has been previously 'retired' and also 'unlock' the User Account if // it has previously been locked if (AUnretireIfRetired) { UserDR.Retired = false; UserDR.AccountLocked = false; } try { SUserAccess.SubmitChanges(UserTable, SubmitChangesTransaction); TUserAccountActivityLog.AddUserAccountActivityLogEntry(UserDR.UserId, TUserAccountActivityLog.USER_ACTIVITY_PWD_CHANGE_BY_SYSADMIN, String.Format(Catalog.GetString( "The password of user {0} got changed by user {1} (the latter user has got SYSADMIN " + "privileges). "), UserDR.UserId, UserInfo.GUserInfo.UserID) + String.Format(ResourceTexts.StrRequestCallerInfo, AClientComputerName, AClientIPAddress), SubmitChangesTransaction); } catch (Exception Exc) { TLogging.Log("An Exception occured during the saving of the new User Password by the SYSADMIN:" + Environment.NewLine + Exc.ToString()); throw; } SubmissionResult = true; }); return(!BogusPasswordChangeAttempt); } else { IUserAuthentication auth = TUserManagerWebConnector.LoadAuthAssembly(UserAuthenticationMethod); return(auth.SetPassword(AUsername, ANewPassword)); } }
public static bool SetUserPassword(string AUserID, string ANewPassword, string ACurrentPassword, bool APasswordNeedsChanged, string AClientComputerName, string AClientIPAddress, out TVerificationResultCollection AVerification) { string UserAuthenticationMethod = TAppSettingsManager.GetValue("UserAuthenticationMethod", "OpenPetraDBSUser", false); TVerificationResult VerificationResult; TVerificationResultCollection VerificationResultColl = null; SUserRow UserDR = null; SUserTable UserTable = null; bool BogusPasswordChangeAttempt = false; AVerification = new TVerificationResultCollection(); // Security check: Is the user that is performing the password change request the current user? if (AUserID != UserInfo.GUserInfo.UserID) { throw new EOPAppException( "The setting of a User's Password must only be done by the user itself, but this isn't the case here and therefore the request gets denied"); } // Password quality check if (!TSharedSysManValidation.CheckPasswordQuality(ANewPassword, out VerificationResult)) { AVerification.Add(VerificationResult); return(false); } if (UserAuthenticationMethod == "OpenPetraDBSUser") { TPetraPrincipal tempPrincipal; TDBTransaction SubmitChangesTransaction = null; bool SubmissionResult = false; DBAccess.GDBAccessObj.BeginAutoTransaction(IsolationLevel.Serializable, ref SubmitChangesTransaction, ref SubmissionResult, delegate { try { UserDR = TUserManagerWebConnector.LoadUser(AUserID.ToUpper(), out tempPrincipal, SubmitChangesTransaction); } catch (EUserNotExistantException) { // Because this cannot happen when a password change gets effected through normal OpenPetra // operation this is treated as a bogus operation that an attacker launches! BogusPasswordChangeAttempt = true; // Logging TUserAccountActivityLog.AddUserAccountActivityLogEntry(AUserID, TUserAccountActivityLog.USER_ACTIVITY_PWD_CHANGE_ATTEMPT_BY_USER_FOR_NONEXISTING_USER, String.Format(Catalog.GetString( "User {0} tried to make an attempt to change a User's password for UserID {1} " + "but that user doesn't exist! "), UserInfo.GUserInfo.UserID, AUserID) + String.Format(ResourceTexts.StrRequestCallerInfo, AClientComputerName, AClientIPAddress), SubmitChangesTransaction); SubmissionResult = true; // Need to set this so that the DB Transaction gets committed! // Simulate that time is spent on 'authenticating' a user (although the user doesn't exist)...! Reason for that: see Method // SimulatePasswordAuthenticationForNonExistingUser! TUserManagerWebConnector.SimulatePasswordAuthenticationForNonExistingUser(); return; } UserTable = (SUserTable)UserDR.Table; // Security check: Is the supplied current password correct? if (TUserManagerWebConnector.CreateHashOfPassword(ACurrentPassword, UserDR.PasswordSalt, UserDR.PwdSchemeVersion) != UserDR.PasswordHash) { VerificationResultColl = new TVerificationResultCollection(); VerificationResultColl.Add(new TVerificationResult("Password Verification", Catalog.GetString( "The current password was entered incorrectly! The password did not get changed."), TResultSeverity.Resv_Critical)); try { SUserAccess.SubmitChanges(UserTable, SubmitChangesTransaction); TUserAccountActivityLog.AddUserAccountActivityLogEntry(UserDR.UserId, TUserAccountActivityLog.USER_ACTIVITY_PWD_WRONG_WHILE_PWD_CHANGE, String.Format(Catalog.GetString( "User {0} supplied the wrong current password while attempting to change " + "his/her password! ") + String.Format(ResourceTexts.StrRequestCallerInfo, AClientComputerName, AClientIPAddress), UserInfo.GUserInfo.UserID), SubmitChangesTransaction); SubmissionResult = true; } catch (Exception Exc) { TLogging.Log(String.Format( "An Exception occured during the changing of the User Password by user '{0}' (Situation 1):", AUserID) + Environment.NewLine + Exc.ToString()); throw; } } }); if (BogusPasswordChangeAttempt) { // Note: VerificationResultColl will be null in this case because we don't want to disclose to an attackeer // why the password change attempt was denied!!! return(false); } if (VerificationResultColl != null) { AVerification = VerificationResultColl; return(false); } // Security check: Is the supplied new password the same than the current password? if (IsNewPasswordSameAsExistingPassword(ANewPassword, UserDR, out VerificationResult)) { AVerification.Add(VerificationResult); return(false); } // // All checks passed: We go aheand and change the user's password! // SetNewPasswordHashAndSaltForUser(UserDR, ANewPassword, AClientComputerName, AClientIPAddress, SubmitChangesTransaction); UserDR.PasswordNeedsChange = false; DBAccess.GDBAccessObj.BeginAutoTransaction(IsolationLevel.Serializable, ref SubmitChangesTransaction, ref SubmissionResult, delegate { try { SUserAccess.SubmitChanges(UserTable, SubmitChangesTransaction); TUserAccountActivityLog.AddUserAccountActivityLogEntry(UserDR.UserId, (APasswordNeedsChanged ? TUserAccountActivityLog.USER_ACTIVITY_PWD_CHANGE_BY_USER_ENFORCED : TUserAccountActivityLog.USER_ACTIVITY_PWD_CHANGE_BY_USER), String.Format(Catalog.GetString("User {0} changed his/her password{1}"), UserInfo.GUserInfo.UserID, (APasswordNeedsChanged ? Catalog.GetString(" (enforced password change.) ") : ". ")) + String.Format(ResourceTexts.StrRequestCallerInfo, AClientComputerName, AClientIPAddress), SubmitChangesTransaction); SubmissionResult = true; } catch (Exception Exc) { TLogging.Log(String.Format("An Exception occured during the changing of the User Password by user '{0}' (Situation 2):", AUserID) + Environment.NewLine + Exc.ToString()); throw; } }); return(true); } else { IUserAuthentication auth = TUserManagerWebConnector.LoadAuthAssembly(UserAuthenticationMethod); return(auth.SetPassword(AUserID, ANewPassword, ACurrentPassword)); } }
public static bool RunFirstSetup( string AUserID, string AFirstName, string ALastName, string ALanguageCode, string AEmailAddress, List <string> AInitialModulePermissions, string AInitialPassword, Int64 ASiteKey, bool AEnableSelfSignup, out TVerificationResultCollection AVerificationResult) { bool result = true; AVerificationResult = new TVerificationResultCollection(); TVerificationResult VerificationResult = null; TVerificationResultCollection VerificationResultCollection = new TVerificationResultCollection(); if (AInitialPassword != String.Empty) { // check if password is valid, it meets the criteria if (!TSharedSysManValidation.CheckPasswordQuality(AInitialPassword, out VerificationResult)) { AVerificationResult.Add(VerificationResult); return(false); } } result = TMaintenanceWebConnector.SaveUserAndModulePermissions( AUserID, AFirstName, ALastName, AEmailAddress, ALanguageCode, false, false, false, AInitialModulePermissions, 0, out VerificationResultCollection); if (result != false) { TDBTransaction t = new TDBTransaction(); TDataBase db = DBAccess.Connect("RunFirstSetup"); bool SubmitOK = false; db.WriteTransaction(ref t, ref SubmitOK, delegate { if (AInitialPassword != String.Empty) { result = TMaintenanceWebConnector.SetUserPassword(AUserID, AInitialPassword, false, false, String.Empty, String.Empty, out VerificationResultCollection); } else { // TODO send welcoming Email, with link for setting the password } if (result) { TSystemDefaults defaults = new TSystemDefaults(db); defaults.SetSystemDefault(SharedConstants.SYSDEFAULT_SITEKEY, ASiteKey.ToString(), db); defaults.SetSystemDefault(SharedConstants.SYSDEFAULT_SELFSIGNUPENABLED, AEnableSelfSignup.ToString(), db); GLSetupTDS GLMainDS = new GLSetupTDS(); SubmitOK = TGLSetupWebConnector.CreateSite(ref GLMainDS, "Default Site", ASiteKey, t); if (SubmitOK) { GLSetupTDSAccess.SubmitChanges(GLMainDS, db, t); } } }); db.CloseDBConnection(); } if (!result) { if (VerificationResultCollection.HasCriticalErrors) { AVerificationResult = VerificationResultCollection; } else { AVerificationResult.Add(VerificationResult); } } return(result); }
/// <summary> /// create a new password for the current user /// </summary> public static bool CreateNewPassword(string AUserName, string AOldPassword, bool APasswordNeedsChanged) { // repeat if an invalid password is entered while (true) { PetraInputBox input = new PetraInputBox( Catalog.GetString("Change your password"), Catalog.GetString("Please enter the new password:"******"", true); if (input.ShowDialog() == DialogResult.OK) { string password = input.GetAnswer(); TVerificationResultCollection VerificationResultCollection; TVerificationResult VerificationResult; if (password == AOldPassword) { MessageBox.Show(String.Format(Catalog.GetString( "Password not changed as the old password was entered. Please enter a new password."), AUserName)); } else if (TSharedSysManValidation.CheckPasswordQuality(password, out VerificationResult)) { // if first password is valid then ask user to enter it again input = new PetraInputBox( Catalog.GetString("Change your password"), Catalog.GetString("Please enter the new password once more:"), "", true); if (input.ShowDialog() == DialogResult.OK) { // if both passwords are the same then save if (password == input.GetAnswer()) { if (TRemote.MSysMan.Maintenance.WebConnectors.SetUserPassword(AUserName, password, AOldPassword, APasswordNeedsChanged, out VerificationResultCollection)) { MessageBox.Show(String.Format(Catalog.GetString("Password was successfully set for user {0}"), AUserName)); return(true); } else { MessageBox.Show(String.Format(Catalog.GetString( "There was a problem setting the password for user {0}."), AUserName) + Environment.NewLine + VerificationResultCollection.BuildVerificationResultString()); break; } } else { MessageBox.Show("Passwords do not match! Please try again..."); } } else { break; } } else { MessageBox.Show(String.Format(Catalog.GetString( "There was a problem setting the password for user {0}."), AUserName) + Environment.NewLine + VerificationResult.ResultText); } } else { break; } } return(false); }