public async Task <ApiServiceResponse <UserProfileFullModel> > UpdateUserInformation([FromBody] UserUpdatePartialModel user) { //TODO: HARDEN NON-PROFILETEXT var userClaimId = (await manager.FindByNameAsync(User.Identity.Name)).Id; var attemptingUser = db.Users.FirstOrDefault(u => u.UserID.Equals(userClaimId)); if (attemptingUser.Id != user.ID && !(await manager.IsInRoleAsync(userClaimId, "ADMIN"))) { //this user is attempting to edit another user, and is not an authorized administrator //log the occurence MasterLogger.LogIssue("Illegal user profile update. Attempter: " + attemptingUser.Id + "/" + attemptingUser.UserHandle + " Profile Attempted: " + user.ID, typeof(UserApiController).Name, DateTime.Now, LogSeverity.SECURITYWARNING); //fail silently return(new ApiServiceResponse <UserProfileFullModel> { ResponseCode = ApiServiceResponseCode.FAILURE, ResponseObject = null, Message = "ILLEGAL ACTION DETECTED" }); } //update user var oldUser = db.Users.Find(user.ID); if (oldUser == null) { string message = "Failed to retrieve user with id:" + oldUser.Id; MasterLogger.LogIssue(message, typeof(UserApiController).Name, DateTime.Now, LogSeverity.ISSUE); return(new ApiServiceResponse <UserProfileFullModel> { ResponseCode = ApiServiceResponseCode.FAILURE, ResponseObject = null, Message = message }); } //update user values oldUser.ProfileText = user.ProfileText; oldUser.UserHandle = user.UserHandle; db.SaveChanges(); var usermodel = new UserProfileFullModel { ID = oldUser.Id, ProfileText = oldUser.ProfileText, VaporAmount = oldUser.VaporAmount, AetherAmount = oldUser.AetherAmount, UserHandle = oldUser.UserHandle, Avatar = oldUser.Avatar }; return(new ApiServiceResponse <UserProfileFullModel> { ResponseCode = ApiServiceResponseCode.SUCCESS, ResponseObject = usermodel, Message = null }); }
public async Task <ActionResult> UserPage(string id) { //if the user is the owner of this id (current user id == id), then //they can edit the page using AJAX var user = await manager.FindByIdAsync(User.Identity.GetUserId()); var userobj = db.Users.FirstOrDefault(u => u.UserID.Equals(user.Id)); ViewBag.AbleToEditPage = (userobj.UserID == User.Identity.GetUserId()); var usermodel = new UserProfileFullModel { ID = userobj.Id, ProfileText = userobj.ProfileText, VaporAmount = userobj.VaporAmount, AetherAmount = userobj.AetherAmount, UserHandle = userobj.UserHandle, Avatar = userobj.Avatar }; return(View(usermodel)); }