Bear in mind, I have researched this and have found several articles, however, they are mostly old (like from 2008) so I am wanting more recent information pertaining to the latest version(s) of ASP.NET MVC.
I am using the Membership built-in thing to provide user registration, login and roles.
I want to use the profile functions, too.
I don't know how to create a profile and I can't find any articles on how to do this in MVC 3. I found one using MVC 2, maybe it's the same, but I want to use the latest available methods.
Can someone show me a step by step solution to creating a profile?
I am considering using my own membership classes + forms authentication. That way, creating profiles is as simple as assigning a foreign key...
What's the experts' opinion?
Please provide your answer in VB and not C# (I don't know why everyone writes me stuff in C#).
Thanks.
Edit: Here is my Register function:
'
' POST: /Account/Register
<HttpPost()> _
Public Function Register(ByVal model As RegisterModel) As ActionResult
If ModelState.IsValid Then
' Attempt to register the user
Dim createStatus As MembershipCreateStatus
Membership.CreateUser(model.UserName, model.Password, model.Email, Nothing, Nothing, True, Nothing, createStatus)
If createStatus = MembershipCreateStatus.Success Then
FormsAuthentication.SetAuthCookie(model.UserName, False)
Return RedirectToAction("Index", "Home")
Else
ModelState.AddModelError("", ErrorCodeToString(createStatus))
End If
End If
' If we got this far, something failed, redisplay form
Return View(model)
End Function
Personally, I would recommend against using the SQL Profile Provider (which is what you are using). Nothing has changed with profiles since MVC2 (or, for that matter, since it was introduced in webforms with .NET 2.0).
The reason is this: Profile data is stored as XML in the database, which makes it very difficult to use profile data outside of your app (meaning in a pure SQL query).
You're probably much better off creating profile fields in your database directly. This way you know which table / column the data is coming from, and can create views if you need to. Otherwise, you would have to parse a table column's XML to extract the profile data (which is what the ProfileCommon does in .NET).
Reply to comments
First of all, I was wrong about the property name. It is ProviderUserKey, not ProviderKey. However unless you want to store profile properties for anonymous users, you could just as easily use MembershipUser.UserName as your FK value, since it will also be unique.
[HttpPost]
public ActionResult Register(RegisterModel model)
{
MembershipCreateStatus createStatus;
var membershipUser = Membership.CreateUser(model.UserName, model.Password,
model.Email, null, null, true, null, out createStatus);
if (createStatus == MembershipCreateStatus.Success)
{
var providerKeyObject = membershipUser.ProviderUserKey;
var providerKeyGuid = (Guid)membershipUser.ProviderUserKey;
// Use providerKeyGuid as a foreign key when inserting into a profile
// table. You don't need a real db-level FK relationship between
// your profile table and the aspnet_Users table. You can lookup this
// Guid at any time by just getting the ProviderUserKey property of the
// MembershipUser, casting it to a Guid, and executing your SQL.
// Example using EF / DbContext
using (var db = new MyDbContext())
{
var profile = new MyProfileEntity
{
UserId = providerKeyGuid, // assumes this property is a Guid
FirstName = model.FirstName,
LastName = model.LastName,
};
db.Set<MyProfileEntity>().Add(profile);
db.SaveChanges();
}
// you could get the profile back out like this
using (var db = new MyDbContext())
{
var profile = db.Set<MyProfileEntity>().SingleOrDefault(p =>
p.UserId == (Guid)membershipUser.ProviderUserKey);
}
FormsAuthentication.SetAuthCookie(membershipUser.UserName, false);
return RedirectToAction("Index", "Home");
}
return View(model);
}
Here is an example using the UserName instead of the ProviderUserKey. I would recommend this approach if you are not storing profile info for anonymous users:
[HttpPost]
public ActionResult Register(RegisterModel model)
{
MembershipCreateStatus createStatus;
var membershipUser = Membership.CreateUser(model.UserName, model.Password,
model.Email, null, null, true, null, out createStatus);
if (createStatus == MembershipCreateStatus.Success)
{
// Example using EF / DbContext
using (var db = new MyDbContext())
{
var profile = new MyProfileEntity
{
// assumes this property is a string, not a Guid
UserId = membershipUser.UserName,
FirstName = model.FirstName,
LastName = model.LastName,
};
db.Set<MyProfileEntity>().Add(profile);
db.SaveChanges();
}
// you could get the profile back out like this, but only after the
// auth cookie is written (it populates User.Identity.Name)
using (var db = new MyDbContext())
{
var profile = db.Set<MyProfileEntity>().SingleOrDefault(p =>
p.UserId == User.Identity.Name);
}
FormsAuthentication.SetAuthCookie(membershipUser.UserName, false);
return RedirectToAction("Index", "Home");
}
return View(model);
}
Related
I understand the way I'm doing the login function is non-secure. But since I'm a novice I don't want to go into too deep first and prefer to do in a most simple and basic way first.
So far what I've done, I have a Admin Model
public class Admin
{
public string AdminUsername { get; set; }
public string Password { get; set; }
}
I have 2 views namely AdminRegister.cshtml and AdminLogin.cshtml
I have done the Register part, I know the password should not be stored in DB and password hashing instead. But as for now, I just want to complete the login function in a basic manner.
Their respective action method in controller are as follow
public ActionResult AdminRegister(Admin model)
{
using (var store = new DocumentStore
{
Url = "http://localhost:8080/",
DefaultDatabase = "foodfurydb"
})
{
store.Initialize();
using (var session = store.OpenSession())
{
session.Store(model);
session.SaveChanges();
}
}
return RedirectToAction("Home");
}
[HttpPost]
public ActionResult AdminLogin(Admin model)
{
Admin login = new Admin();
using (var store = new DocumentStore
{
Url = "http://localhost:8080/",
DefaultDatabase = "foodfurydb"
})
{
store.Initialize();
using (var session = store.OpenSession())
{
var adminInput = session
.Query<Admin>()
.Where(u => u.AdminUsername.Equals(model.AdminUsername) && u.Password.Equals(model.Password));
if (adminInput != null)
{
}
}
}
return View();
}
For the login part, I assume that I should query to check whether the user with the particular username and password exist in DB or not. And then, I'm stuck and don't know how to compare the login input and the data from db! Appreciate if someone kind enough to lead me! Just a simple one though! Thank you very much.
Find out whether the user exists first
var count = session
.Query<Admin>()
.Where(u => u.AdminUsername == model.AdminUsername);
if (count > 0)
{
return RedirectToAction("AddRestaurant");
}
else
{
// user exist in db
return RedirectToAction("Home");
}
I managed to find out whether the username in login field exist in DB or not. If yes it will login, else it will stay at home page. But till this stage, I haven't get an idea how to verify the password. Appreciate if anyone can guide me on this.
Let us avoid storing the password in plain text entirely.
We'll first start by loading the document for that user:
var adminInput = session
.Query<Admin>()
.Where(u => u.AdminUsername == model.AdminUsername)
.FirstOrDefault();
Note that I'm using FirstOrDefault to actually execute the query so we'll have the result.
Then, you check if the user exists, and if he does, you need to compare the number.
See this post on how to do this properly: How to hash a password
I've built an MVC 5 website. Adding a user generates and sends an email with a confirmation token. When the user clicks the emailed link, the site responds, asking the user to set an initial password.
When the user tries to set an initial password, the user has not logged in yet, so User.Identity.GetUserId() is null. How do I pass the user ID from the confirmation link to the call to SetPassword()?
AccountController.cs
// GET: /Account/ConfirmEmail
[AllowAnonymous]
public async Task<ActionResult> ConfirmEmail(string userId, string code)
{
if (userId == null || code == null)
return View("Error");
var result = await UserManager.ConfirmEmailAsync(userId, code);
if (result.Succeeded)
using (var s = new UserStore())
{
var u = s.FindByIdAsync(userId).Result;
await s.SetEmailConfirmedAsync(u, true);
return View("ConfirmEmail", new { Id = userId }); // This doesn't seem to make Id available.
}
else
return View("Error");
}
ConfirmEmail.cshtml
#{
ViewBag.Title = "Confirm Email";
}
<h2>#ViewBag.Title.</h2>
<div>
<p>
Thank you for confirming your email.
Please #Html.ActionLink("click here to create a password.",
"SetPassword", "Manage",
routeValues: null, // I've tried passing new { Id = Model.Id }, but Id isn't available at run-time.
htmlAttributes: new { id = "loginLink" })
</p>
</div>
ManageController.cs
// POST: /Manage/SetPassword
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public async Task<ActionResult> SetPassword(SetPasswordViewModel model)
{
if (ModelState.IsValid)
{
var result = await UserManager.AddPasswordAsync(User.Identity.GetUserId(), model.NewPassword);
if (result.Succeeded)
{
var user = await UserManager.FindByIdAsync(User.Identity.GetUserId());
if (user != null)
{
await SignInManager.SignInAsync(user, isPersistent: false, rememberBrowser: false);
}
return RedirectToAction("Index", new { Message = ManageMessageId.SetPasswordSuccess });
}
AddErrors(result);
}
// If we got this far, something failed, redisplay form
return View(model);
}
A simple fix is to add a parameter to the SetPassword method:
public async Task<ActionResult> SetPassword(SetPasswordViewModel model, Guid userIdentifier)
The ConfirmEmail.cshtml would then change to:
Please #Html.ActionLink("click here to create a password.",
"SetPassword", "Manage",
routeValues: null, // I've tried passing new { Id = Model.Id }, but Id isn't available at run-time.
htmlAttributes: new { id = "loginLink", userIdentifier = Model.ID })
When the user clicks the link, you should now have the userIdentifier filled in with the ID of the user the email was sent to.
It's not super secure as they can pass any Guid (if they can figure out which one to send).
You may want to track a PasswordRequest object by ID (instead of userIdentifier) that can expire the email in which case they need to request a new one. This way once the PasswordRequest record is used, it can be deleted to prevent reuse as well.
Note: PasswordRequest is just a made up name.
You collect the password when you first create a user so that you don't need an id for your UserManager.CreateAsync(). You'd send the confirmation email token in the register action after you've created a new row (and generated the id).
The SetPassword() action is for an existing and authenticated user to change their password. You should not mark that as [AllowAnonymous].
you can use the query string, in the confirmation token you can encrypt the username or userid and when you reach the reset page decrypt it and set the Identity to whoever it was.
Edit: In addition to that you can create a new table in the database InitialSetup, with columns user, EncryptedId(guid), Initial.
When someone clicks the email link they will need to input username, and new password. That is when you will check if the input username is the same as the EncryptedId(guid).
I'm building my site based on the patterns used in the ASP.NET Music Store project but I'm having some trouble with editing user records.
My view uses a PasswordFor for the password field and there are some fields that I need my site to update without any possible user intervention (for auditing).
My problem is that because I'm not supplying a value for password or for the auditing fields, they're submitting with null values.
Here's my POST:
[HttpPost]
public ActionResult Edit(User user)
{
if (ModelState.IsValid)
{
try
{
// supply the Company and Role information by the PK values submitted on the view
user.Company = db.Companies.Single(x => x.CompanyId == user.CompanyId);
user.Role = db.Roles.Single(x => x.RoleId == user.RoleId);
// add the auditing information
user.ModifiedBy = String.Format("{0} {1}", Convert.ToString(Session["firstname"]), Convert.ToString(Session["lastname"]));
user.ModifiedOn = DateTime.Now;
// save the record
db.Entry(user).State = EntityState.Modified;
db.SaveChanges();
return Json(new
{
Message = "Success",
IsOK = bool.TrueString
});
}
catch (Exception ex)
{
if (Request.IsAjaxRequest())
{
ThrowError(ex, "EDIT");
}
else
{
return RedirectToAction("Index");
}
}
}
return View(user);
}
So when I submit, because I don't want to change the password, I'm leaving it blank which means the model is getting a null value.
How can I ensure that the fields that I'm not changing aren't going to get updated?
At first you should provide some hidden field in your form which stores ID of an entity.
Then in your controller POST action you should somehow merge your original entity with the changes done in the view. So you should do the following steps:
Read a record from the database.
Update only fields which were updated in the view model.
Save changes.
For the second step you can use mapping tools, for instance - https://automapper.codeplex.com/
More or less it should look like that:
var updated = SomeClass.GetByKey(key);
Mapper.CreateMap<ViewModel, Model>()
.ForMember(dest => dest.someField, opt => opt.Ignore())
.ForMember(dest => dest.someField2, opt => opt.Ignore());
Mapper.Map(model, updated);
//Here save changes
(By saying view model I mean or view model or instance of your model which is bound with your view).
I'm not sure I understand the best way of doing this.
If I have a model with a large number of fields, then do I have to explicitelly list every one of them in a whitelist under TryUpdateModel, or can I just pass the ForCollection.
The following code doesn't save my edits, is my only alternative to list all my fields one by one?
public ActionResult Edit(int id, FormCollection form)
{
var jobToUpdate = db.Jobs
.Include(x => x.JobNotes)
.Where(x => x.JobID == id)
.SingleOrDefault();
if (TryUpdateModel(jobToUpdate, form))
{
db.Entry(jobToUpdate).State = EntityState.Modified;
db.SaveChanges();
return RedirectToAction("Details", new { id = model.Job.JobID });
}
return RedirectToAction("Details", new { id = model.Job.JobID })
}
Secondly, what is the best way to get a list of just the fields that have changed. If the only field that the user changes is the FirstName field, I'd like to record that in an audit log.
Thanks for your help!
If there are fields on your model that aren't in the form and you don't want users to change then you can use an exclude list. The choice to use an include or exclude list will depend which is largest. An include list is more secure as if you forget to include something it can't be changed. Not using an include, or exclude list will leave you vulnerable to model stuffing where users can post extra values to change details they shouldn't be able to.
public ActionResult Edit(int id, FormCollection form)
{
var jobToUpdate = db.Jobs
.Include(x => x.JobNotes)
.Where(x => x.JobID == id)
.SingleOrDefault();
if (TryUpdateModel(jobToUpdate, String.Empty, null, new [] {"SecretField"}, form))
{
db.SaveChanges();
return RedirectToAction("Details", new { id = model.Job.JobID });
}
// Model not saved - send them back to edit page for corrections
return View(jobToUpdate);
}
If the model is not saved you should not redirect. Show them the same page and make sure your edit view shows model errors.
The most likely reason your code is not saving the model is you're trying to insert a value that is not valid.
I've implemented some basic, custom membership provider for my ASP.NET MVC application so I thought that all validation will be done in my custom code.
Unfortunately when I'm trying to create new user by calling function:
Membership.CreateUser(user.UserName, user.Password, user.Email, null, null, true, Guid.NewGuid(), out status);
which should eventually throw an exception with all validation errors I'm getting a status like "InvalidUserName" or "InvalidPassword" instead... That means that my custom CreateUser function isn't call directly, it's used after some basic validation which I would wish to skip.
My CreateUser function (in my custom provider):
public override MembershipUser CreateUser(string username, string password, string email, string passwordQuestion, string passwordAnswer, bool isApproved, object providerUserKey, out MembershipCreateStatus status)
{
try
{
User user = new User();
user.UserKey = Guid.NewGuid();
user.UserName = username;
user.passwordSalt = string.Empty;
user.Password = this.TransformPassword(password, ref user.passwordSalt);
user.Email = email;
user.PasswordQuestion = passwordQuestion;
user.PasswordAnswer = passwordAnswer;
user.CreationDate = DateTime.Now;
user.LastActivityDate = DateTime.Now;
user.LastLoginDate = DateTime.MinValue;
user.LastPasswordChangeDate = DateTime.Now;
this._UsersRepository.SaveUser(user);
status = MembershipCreateStatus.Success;
return CreateMembershipFromInternalUser(user);
}
catch(RuleException ex)
{
throw ex;
}
}
Do you know how to enforce direct usage of custom CreateUser function !?
But I'm not using a default ASP.NET MVC project's AccountController...
Just take a look:
[AcceptVerbs(HttpVerbs.Post)]
public ViewResult Register(User user, string password_confirm, bool acceptsTerms)
{
if (!acceptsTerms)
ModelState.AddModelError("acceptsTerms", "Musisz zaakceptować regulamin");
if (ModelState.IsValid)
{
try
{
MembershipCreateStatus status = new MembershipCreateStatus();
Membership.CreateUser(user.UserName, user.Password, user.Email, null, null, true, Guid.NewGuid(), out status);
}
catch (RuleException ex){
ex.CopyToModelState(ModelState,"user");
}
}
return View();
}
The point is that I'm getting a status instead of RuleException ex when user.UserName or user.Password is empty. My custom RuleException ex would give me back such informations as well. Where a status value is assigned right now !? Bacouse it's not done in my implementation of CreateUser...
I am using this (MVC3) and I have no issues:
[HttpPost]
public ActionResult Register(RegisterModel model)
{
if (ModelState.IsValid)
{
MembershipCreateStatus status;
Membership.Provider.CreateUser(model.UserName, model.Password, model.Email, "", "", true, Guid.NewGuid(), out status);
if (status == MembershipCreateStatus.Success)
{
FormsService.SignIn(model.UserName, false);
return RedirectToAction("Index", "Home");
}
else
{
ModelState.AddModelError("", AccountValidation.ErrorCodeToString(status));
}
}
// If we got this far, something failed, redisplay form
ViewBag.PasswordLength = MembershipService.MinPasswordLength;
return View(model);
}
Using ILSpy to view the static method Membership.CreateUser, you will find it performs validation on
Username (trim whitespace + not null, not empty)
Password (trim whitespace + not null, not empty, length checks)
Email (trim whitespace)
Password Question (trim whitespace + not empty)
Password Answer (trim whitespace + not empty)
It then calls the custom provider.
The key here is to not call the static method CreateUser
Membership.CreateUser(...)
Rather, call the custom provider directly by using:
Membership.Provider.CreateUser(...)
Tested and verified working, as of .NET 4
While my site recommends having a password, we support openid. So forcing a user to have a password just seemed counter to what openid is good for.
Complete rewrite
The ASP.NET Membership system always does some initial validation of the inputs when APIs such as CreateUser are called.
I don't know of any way around this aside from not going directly to the ASP.NET membership APIs.