/// <summary> /// Updates a user's password. /// Call this from inherited controller so that you can /// apply custom attributes / routes with custom protection. /// </summary> protected IHttpActionResult _UpdatePassword([FromBody] UpdatePasswordParams upp) { return(ExecuteValidatedAction(() => { ValidatorHelpers.ValidateAndThrow(upp, new UpdatePasswordValidator()); var user = AuthService.ValidateLogin(upp.AuthUserId, upp.OldPassword); if (user == null) { return ImATeapot(); } AuthService.UpdatePassword(user, upp.Password); RoleManager.StampAuthUser(upp.AuthUserId); // require other tokens to refresh return Ok(); })); }
[Bypass(true)] // don't require user privileges to edit, if self only public IHttpActionResult UpdatePassword([FromBody] UpdatePasswordParams upp) { if (upp == null || upp.AuthUserId == 0) { return(BadRequest()); } // this one is tricky. make sure that the user is editing self, or that // they have claims. Can't really force one or the other on the route itself since we're // not passing in (or guaranteed to pass in) the userId that matches authUser, so this method // should be bypassed from claims attributes check and manually inspected here. int tokenAuthId = int.Parse(this.GetAuthUserId()); bool ok = tokenAuthId == upp.AuthUserId; // see if editing self if (!ok) // not editing self: check permission / claims { var requestUser = (ClaimsPrincipal)this.GetOwinResolver().GetOwinContext().Request.User; ok = RestrictAttribute.CheckClaim(requestUser, ClaimTypes.Users, ClaimValues.FullAccess); } return(ok ? _UpdatePassword(upp) : Unauthorized()); }