using System; using System.Collections; using System.Configuration; using System.Data; using System.Data.SqlClient; using System.Web; using System.Security.Cryptography; using System.Text; namespace ASPNetPortal { //********************************************************************* // // PortalSecurity Class // // The PortalSecurity class encapsulates two helper methods that enable // developers to easily check the role status of the current browser client. // //********************************************************************* public class PortalSecurity { //********************************************************************* // // Security.Encrypt() Method // // The Encrypt method encrypts a clean string into a hashed string // //********************************************************************* public static string Encrypt(string cleanString) { Byte[] clearBytes = new UnicodeEncoding().GetBytes(cleanString); Byte[] hashedBytes = ((HashAlgorithm) CryptoConfig.CreateFromName("MD5")).ComputeHash(clearBytes); return BitConverter.ToString(hashedBytes); } //********************************************************************* // // PortalSecurity.IsInRole() Method // // The IsInRole method enables developers to easily check the role // status of the current browser client. // //********************************************************************* public static bool IsInRole(String role) { return HttpContext.Current.User.IsInRole(role); } //********************************************************************* // // PortalSecurity.IsInRoles() Method // // The IsInRoles method enables developers to easily check the role // status of the current browser client against an array of roles // //********************************************************************* public static bool IsInRoles(String roles) { HttpContext context = HttpContext.Current; foreach (String role in roles.Split( new char[] {';'} )) { if (role != "" && role != null && ((role == "All Users") || (context.User.IsInRole(role)))) { return true; } } return false; } //********************************************************************* // // PortalSecurity.HasEditPermissions() Method // // The HasEditPermissions method enables developers to easily check // whether the current browser client has access to edit the settings // of a specified portal module // //********************************************************************* public static bool HasEditPermissions(int moduleId) { // Obtain PortalSettings from Current Context PortalSettings portalSettings = (PortalSettings) HttpContext.Current.Items["PortalSettings"]; // Create Instance of Connection and Command Object SqlConnection myConnection = new SqlConnection(ConfigurationSettings.AppSettings["connectionString"]); SqlCommand myCommand = new SqlCommand("GetAuthRoles", myConnection); // Mark the Command as a SPROC myCommand.CommandType = CommandType.StoredProcedure; // Add Parameters to SPROC SqlParameter parameterModuleID = new SqlParameter("@ModuleID", SqlDbType.Int, 4); parameterModuleID.Value = moduleId; myCommand.Parameters.Add(parameterModuleID); SqlParameter parameterPortalID = new SqlParameter("@PortalID", SqlDbType.Int, 4); parameterPortalID.Value = portalSettings.PortalId; myCommand.Parameters.Add(parameterPortalID); // Add out parameters to Sproc SqlParameter parameterAccessRoles = new SqlParameter("@AccessRoles", SqlDbType.NVarChar, 256); parameterAccessRoles.Direction = ParameterDirection.Output; myCommand.Parameters.Add(parameterAccessRoles); SqlParameter parameterEditRoles = new SqlParameter("@EditRoles", SqlDbType.NVarChar, 256); parameterEditRoles.Direction = ParameterDirection.Output; myCommand.Parameters.Add(parameterEditRoles); // Open the database connection and execute the command myConnection.Open(); myCommand.ExecuteNonQuery(); myConnection.Close(); if ((PortalSecurity.IsInRoles((String)parameterAccessRoles.Value) == false) || (PortalSecurity.IsInRoles((String)parameterEditRoles.Value) == false)) { return false; } else { return true; } } } //********************************************************************* // // UsersDB Class // // The UsersDB class encapsulates all data logic necessary to add/login/query // users within the Portal Users database. // // Important Note: The UsersDB class is only used when forms-based cookie // authentication is enabled within the portal. When windows based // authentication is used instead, then either the Windows SAM or Active Directory // is used to store and validate all username/password credentials. // //********************************************************************* public class UsersDB { //********************************************************************* // // UsersDB.AddUser() Method // // The AddUser method inserts a new user record into the "Users" database table. // // Other relevant sources: // + AddUser Stored Procedure // //********************************************************************* public int AddUser(String fullName, String email, String password) { // Create Instance of Connection and Command Object SqlConnection myConnection = new SqlConnection(ConfigurationSettings.AppSettings["connectionString"]); SqlCommand myCommand = new SqlCommand("AddUser", myConnection); // Mark the Command as a SPROC myCommand.CommandType = CommandType.StoredProcedure; // Add Parameters to SPROC SqlParameter parameterFullName = new SqlParameter("@Name", SqlDbType.NVarChar, 50); parameterFullName.Value = fullName; myCommand.Parameters.Add(parameterFullName); SqlParameter parameterEmail = new SqlParameter("@Email", SqlDbType.NVarChar, 100); parameterEmail.Value = email; myCommand.Parameters.Add(parameterEmail); SqlParameter parameterPassword = new SqlParameter("@Password", SqlDbType.NVarChar, 20); parameterPassword.Value = password; myCommand.Parameters.Add(parameterPassword); SqlParameter parameterUserId = new SqlParameter("@UserID", SqlDbType.Int); parameterUserId.Direction = ParameterDirection.Output; myCommand.Parameters.Add(parameterUserId); // Execute the command in a try/catch to catch duplicate username errors try { // Open the connection and execute the Command myConnection.Open(); myCommand.ExecuteNonQuery(); } catch { // failed to create a new user return -1; } finally { // Close the Connection if (myConnection.State == ConnectionState.Open) myConnection.Close(); } return (int) parameterUserId.Value; } //********************************************************************* // // UsersDB.DeleteUser() Method // // The DeleteUser method deleted a user record from the "Users" database table. // // Other relevant sources: // + DeleteUser Stored Procedure // //********************************************************************* public void DeleteUser(int userId) { // Create Instance of Connection and Command Object SqlConnection myConnection = new SqlConnection(ConfigurationSettings.AppSettings["connectionString"]); SqlCommand myCommand = new SqlCommand("DeleteUser", myConnection); // Mark the Command as a SPROC myCommand.CommandType = CommandType.StoredProcedure; SqlParameter parameterUserId = new SqlParameter("@UserID", SqlDbType.Int); parameterUserId.Value = userId; myCommand.Parameters.Add(parameterUserId); // Open the database connection and execute the command myConnection.Open(); myCommand.ExecuteNonQuery(); myConnection.Close(); } //********************************************************************* // // UsersDB.UpdateUser() Method // // The UpdateUser method deleted a user record from the "Users" database table. // // Other relevant sources: // + UpdateUser Stored Procedure // //********************************************************************* public void UpdateUser(int userId, String email, String password) { // Create Instance of Connection and Command Object SqlConnection myConnection = new SqlConnection(ConfigurationSettings.AppSettings["connectionString"]); SqlCommand myCommand = new SqlCommand("UpdateUser", myConnection); // Mark the Command as a SPROC myCommand.CommandType = CommandType.StoredProcedure; SqlParameter parameterUserId = new SqlParameter("@UserID", SqlDbType.Int); parameterUserId.Value = userId; myCommand.Parameters.Add(parameterUserId); SqlParameter parameterEmail = new SqlParameter("@Email", SqlDbType.NVarChar, 100); parameterEmail.Value = email; myCommand.Parameters.Add(parameterEmail); SqlParameter parameterPassword = new SqlParameter("@Password", SqlDbType.NVarChar, 20); parameterPassword.Value = password; myCommand.Parameters.Add(parameterPassword); // Open the database connection and execute the command myConnection.Open(); myCommand.ExecuteNonQuery(); myConnection.Close(); } //********************************************************************* // // UsersDB.GetRolesByUser() Method // // The DeleteUser method deleted a user record from the "Users" database table. // // Other relevant sources: // + GetRolesByUser Stored Procedure // //********************************************************************* public SqlDataReader GetRolesByUser(String email) { // Create Instance of Connection and Command Object SqlConnection myConnection = new SqlConnection(ConfigurationSettings.AppSettings["connectionString"]); SqlCommand myCommand = new SqlCommand("GetRolesByUser", myConnection); // Mark the Command as a SPROC myCommand.CommandType = CommandType.StoredProcedure; SqlParameter parameterEmail = new SqlParameter("@Email", SqlDbType.NVarChar, 100); parameterEmail.Value = email; myCommand.Parameters.Add(parameterEmail); // Open the database connection and execute the command myConnection.Open(); SqlDataReader dr = myCommand.ExecuteReader(CommandBehavior.CloseConnection); // Return the datareader return dr; } //********************************************************************* // // GetSingleUser Method // // The GetSingleUser method returns a SqlDataReader containing details // about a specific user from the Users database table. // //********************************************************************* public SqlDataReader GetSingleUser(String email) { // Create Instance of Connection and Command Object SqlConnection myConnection = new SqlConnection(ConfigurationSettings.AppSettings["connectionString"]); SqlCommand myCommand = new SqlCommand("GetSingleUser", myConnection); // Mark the Command as a SPROC myCommand.CommandType = CommandType.StoredProcedure; // Add Parameters to SPROC SqlParameter parameterEmail = new SqlParameter("@Email", SqlDbType.NVarChar, 100); parameterEmail.Value = email; myCommand.Parameters.Add(parameterEmail); // Open the database connection and execute the command myConnection.Open(); SqlDataReader dr = myCommand.ExecuteReader(CommandBehavior.CloseConnection); // Return the datareader return dr; } //********************************************************************* // // GetRoles() Method // // The GetRoles method returns a list of role names for the user. // // Other relevant sources: // + GetRolesByUser Stored Procedure // //********************************************************************* public String[] GetRoles(String email) { // Create Instance of Connection and Command Object SqlConnection myConnection = new SqlConnection(ConfigurationSettings.AppSettings["connectionString"]); SqlCommand myCommand = new SqlCommand("GetRolesByUser", myConnection); // Mark the Command as a SPROC myCommand.CommandType = CommandType.StoredProcedure; // Add Parameters to SPROC SqlParameter parameterEmail = new SqlParameter("@Email", SqlDbType.NVarChar, 100); parameterEmail.Value = email; myCommand.Parameters.Add(parameterEmail); // Open the database connection and execute the command SqlDataReader dr; myConnection.Open(); dr = myCommand.ExecuteReader(CommandBehavior.CloseConnection); // create a String array from the data ArrayList userRoles = new ArrayList(); while (dr.Read()) { userRoles.Add(dr["RoleName"]); } dr.Close(); // Return the String array of roles return (String[]) userRoles.ToArray(typeof(String)); } //********************************************************************* // // UsersDB.Login() Method // // The Login method validates a email/password pair against credentials // stored in the users database. If the email/password pair is valid, // the method returns user's name. // // Other relevant sources: // + UserLogin Stored Procedure // //********************************************************************* public String Login(String email, String password) { // Create Instance of Connection and Command Object SqlConnection myConnection = new SqlConnection(ConfigurationSettings.AppSettings["connectionString"]); SqlCommand myCommand = new SqlCommand("UserLogin", myConnection); // Mark the Command as a SPROC myCommand.CommandType = CommandType.StoredProcedure; // Add Parameters to SPROC SqlParameter parameterEmail = new SqlParameter("@Email", SqlDbType.NVarChar, 100); parameterEmail.Value = email; myCommand.Parameters.Add(parameterEmail); SqlParameter parameterPassword = new SqlParameter("@Password", SqlDbType.NVarChar, 20); parameterPassword.Value = password; myCommand.Parameters.Add(parameterPassword); SqlParameter parameterUserName = new SqlParameter("@UserName", SqlDbType.NVarChar, 100); parameterUserName.Direction = ParameterDirection.Output; myCommand.Parameters.Add(parameterUserName); // Open the database connection and execute the command myConnection.Open(); myCommand.ExecuteNonQuery(); myConnection.Close(); if ((parameterUserName.Value != null) && (parameterUserName.Value != System.DBNull.Value)) { return ((String)parameterUserName.Value).Trim(); } else { return String.Empty; } } } }