protected async Task <IResult> UpdatePasswordAsync(string userid, UpdatePasswordInfo req)
{
var requestuserid = Context.UserID;
// Only allow calls by logged in users
if (string.IsNullOrWhiteSpace(requestuserid))
{
return(Forbidden);
}
if (new [] { req?.Current, req?.New, req?.Repeated }.Any(x => string.IsNullOrWhiteSpace(x)))
{
return(Status(BadRequest, "One or more fields are missing"));
}
if (req.New != req.Repeated)
{
return(Status(BadRequest, "The new password does not match the repeated one"));
}
Services.PasswordPolicy.ValidatePassword(req.New);
var isself = IsSelfUser(userid);
try
{
return(await DB.RunInTransactionAsync(db => {
var isadmin = Services.AdminHelper.IsAdmin(db, requestuserid);
if (!isself && !isadmin)
{
return Forbidden;
}
var user = db.SelectItemById <Database.User>(userid);
if (!isadmin && !Ceen.Security.PBKDF2.ComparePassword(req.Current, user.Password))
{
return Status(BadRequest, "The current password is not correct");
}
user.Password = Ceen.Security.PBKDF2.CreatePBKDF2(req.New);
db.UpdateItem(user);
return OK;
}));
}
catch (Exception ex)
{
var t = Ceen.Extras.CRUDExceptionHelper.WrapExceptionMessage(ex);
if (t != null)
{
return(t);
}
throw;
}
}
public Task <IResult> Put(UpdatePasswordInfo req)
{
// Non-admin users can only update their own password
return(UpdatePasswordAsync(Context.UserID, req));
}
public Task <IResult> Put(string userid, UpdatePasswordInfo req)
{
// Admin users can change password for all users
return(UpdatePasswordAsync(userid, req));
}
