/// <summary>
/// Updates a user's password.
/// Call this from inherited controller so that you can
/// apply custom attributes / routes with custom protection.
/// </summary>
protected IHttpActionResult _UpdatePassword([FromBody] UpdatePasswordParams upp)
{
return(ExecuteValidatedAction(() =>
{
ValidatorHelpers.ValidateAndThrow(upp, new UpdatePasswordValidator());
var user = AuthService.ValidateLogin(upp.AuthUserId, upp.OldPassword);
if (user == null)
{
return ImATeapot();
}
AuthService.UpdatePassword(user, upp.Password);
RoleManager.StampAuthUser(upp.AuthUserId); // require other tokens to refresh
return Ok();
}));
}
[Bypass(true)] // don't require user privileges to edit, if self only
public IHttpActionResult UpdatePassword([FromBody] UpdatePasswordParams upp)
{
if (upp == null || upp.AuthUserId == 0)
{
return(BadRequest());
}
// this one is tricky. make sure that the user is editing self, or that
// they have claims. Can't really force one or the other on the route itself since we're
// not passing in (or guaranteed to pass in) the userId that matches authUser, so this method
// should be bypassed from claims attributes check and manually inspected here.
int tokenAuthId = int.Parse(this.GetAuthUserId());
bool ok = tokenAuthId == upp.AuthUserId; // see if editing self
if (!ok) // not editing self: check permission / claims
{
var requestUser = (ClaimsPrincipal)this.GetOwinResolver().GetOwinContext().Request.User;
ok = RestrictAttribute.CheckClaim(requestUser, ClaimTypes.Users, ClaimValues.FullAccess);
}
return(ok ? _UpdatePassword(upp) : Unauthorized());
}
