public void btnSave_Click(object sender, System.EventArgs e) { // decide what We are updating, its ok to update email everytime, but the password and security answer may not have changed. // validation for password match if (txtPassword.Text != txtPasswordConfirm.Text) { ui.RaiseError(Page, "Passwords do not match", true, ""); return; } sSQL = "update users set email = '" + txtEmail.Text.Replace("'", "''") + "'"; string sPasswordFiller = "($%#d@x!&"; if (lblAuthenticationType.Text == "local") { //------------------------------------------------------------------------------------------------------- // these settings are only applicable if the user is local //only update password if it has been changed. sSQL += ",security_question = '" + dc.EnCrypt(txtSecurityQuestion.Text.Replace("'", "''")) + "'"; if (txtPassword.Text != sPasswordFiller) { // bugzilla 1347 // check the user password history setting, and make sure the password was not used in the past x passwords if (dc.PasswordInHistory(dc.EnCrypt(txtPassword.Text), ui.GetSessionUserID(), ref sErr)) { ui.RaiseError(Page, "Passwords can not be reused, choose another password", true, ""); return; } ; if (sErr != "") { ui.RaiseError(Page, sErr, true, ""); return; } ; // make sure the password is valid if (!dc.PasswordIsComplex(txtPassword.Text, ref sErr)) { ui.RaiseError(Page, sErr, true, ""); return; } sSQL += ",user_password='******'"; } // only update the security answer if it has changed if (txtSecurityAnswer.Text != hidSecurityAnswer.Value) { sSQL += ",security_answer='" + dc.EnCrypt(txtSecurityAnswer.Text) + "'"; } //------------------------------------------------------------------------------------------------------- } sSQL += " where user_id = '" + ui.GetSessionUserID() + "'"; try { if (!dc.sqlExecuteUpdate(sSQL, ref sErr)) { ui.RaiseError(Page, "Update failed: " + sErr, true, ""); } //logging, what else should we log? I guess the fact that the user changed the password would be enough? ui.WriteObjectChangeLog(acObjectTypes.User, "User Preferences", "Email", hidEmail.Value, txtEmail.Text); // what else should we log? I guess the fact that the user changed the password would be enough? if (txtPassword.Text != sPasswordFiller) { ui.WriteObjectChangeLog(acObjectTypes.User, ui.GetSessionUserID(), "Password", "User updated password via User Preferences"); // add the password update to the history sSQL = "insert user_password_history (user_id, change_time,password) values ('" + ui.GetSessionUserID() + "',now(),'" + dc.EnCrypt(txtPassword.Text) + "')"; if (!dc.sqlExecuteUpdate(sSQL, ref sErr)) { ui.RaiseError(Page, "User updated, could not add password history: " + sErr, true, ""); } } } catch { ui.RaiseError(Page, "Update failed: " + sErr, true, ""); } txtSecurityAnswer.Attributes.Add("value", txtSecurityAnswer.Text); ui.RaiseInfo(Page, "Preferences updated.", ""); // to make everything look right redirect to raw //Response.Redirect(Request.RawUrl); }
public static string SaveUserEdits(object[] oUser) { string sChangeDetail = "User Details updated."; // verify the right number of properties if (oUser.Length != 10) { return("Incorrect number of User Properties."); } string sEditUserID = oUser[0].ToString(); string sLoginID = oUser[1].ToString(); string sFullName = oUser[2].ToString(); string sAuthType = oUser[3].ToString(); string sUserPassword = oUser[4].ToString(); string sForcePasswordChange = oUser[5].ToString(); string sUserRole = oUser[6].ToString(); string sEmail = oUser[7].ToString(); string sStatus = oUser[8].ToString(); string sGroupArray = oUser[9].ToString(); dataAccess dc = new dataAccess(); acUI.acUI ui = new acUI.acUI(); string sSql = null; string sErr = null; // checks that cant be done on the client side // is the name unique? string sInuse = ""; if (!dc.sqlGetSingleString(ref sInuse, "select user_id from users where username = '******' and user_id <> '" + sEditUserID + "' limit 1", ref sErr)) { throw new Exception(sErr); } else { if (!string.IsNullOrEmpty(sInuse)) { return("Login ID '" + sLoginID + "' is unavailable, please choose another."); } } // CHANGE Per conference call 5-11-09 we are using a random 9 char mask // if the password has not changed this will be the same 9 chars string sPasswordUpdate = null; bool boolPasswordChanged = false; if (sUserPassword == "($%#d@x!&") { // password has not been touched sPasswordUpdate = ","; boolPasswordChanged = false; } else { // password changed sChangeDetail += " Password changed."; if (sAuthType == "local") { // bugzilla 1347 // check the user password history setting, and make sure the password was not used in the past x passwords if (dc.PasswordInHistory(dc.EnCrypt(sUserPassword.Trim()), sEditUserID, ref sErr)) { return("Passwords can not be reused, please choose another password"); } ; if (sErr != null) { return(sErr); } ; if (!dc.PasswordIsComplex(sUserPassword.Trim(), ref sErr)) { return(sErr); } else { sPasswordUpdate = ",user_password = '******',"; boolPasswordChanged = true; } } else if (sAuthType == "ldap") { sPasswordUpdate = ",user_password = NULL,"; } else { return("Unknown Authentication type."); } } try { dataAccess.acTransaction oTrans = new dataAccess.acTransaction(ref sErr); // update the user fields. sSql = "update users set" + " full_name = '" + sFullName + "'," + " username = '******'" + sPasswordUpdate + " force_change = '" + sForcePasswordChange + "'," + " authentication_type = '" + sAuthType + "'," + " email = '" + sEmail + "'," + " failed_login_attempts = '0'," + " status = '" + sStatus + "'," + " user_role = '" + sUserRole + "'" + " where user_id = '" + sEditUserID + "'"; oTrans.Command.CommandText = sSql; if (!oTrans.ExecUpdate(ref sErr)) { throw new Exception(sErr); } if (boolPasswordChanged) { // add Password history if it changed sSql = "insert user_password_history (user_id, change_time,password) values ('" + sEditUserID + "',now(),'" + dc.EnCrypt(sUserPassword.Trim()) + "')"; oTrans.Command.CommandText = sSql; if (!oTrans.ExecUpdate(ref sErr)) { throw new Exception(sErr); } } #region "tags" // remove the existing tags sSql = "delete from object_tags where object_id = '" + sEditUserID + "'"; oTrans.Command.CommandText = sSql; if (!oTrans.ExecUpdate(ref sErr)) { throw new Exception(sErr); } // add user groups, if there are any if (sGroupArray.Length > 0) { ArrayList aGroups = new ArrayList(sGroupArray.Split(',')); foreach (string sGroupName in aGroups) { sSql = "insert object_tags (object_id, object_type, tag_name)" + " values ('" + sEditUserID + "', 1, '" + sGroupName + "')"; oTrans.Command.CommandText = sSql; if (!oTrans.ExecUpdate(ref sErr)) { throw new Exception(sErr); } } } #endregion oTrans.Commit(); } catch (Exception ex) { throw new Exception(ex.Message); } // add security log ui.WriteObjectChangeLog(Globals.acObjectTypes.User, sEditUserID, sFullName.Trim().Replace("'", "''"), sChangeDetail); // no errors to here, so return an empty string return(""); }