In a service I have wrote a simple function to get tenant id of particular user
[AbpAuthorize]
public int? FindTenancyNameByUserNameOrEmail(string userNameOrEmail)
{
var qry = (from p in _memberRepository.GetAll()
where p.UserName == userNameOrEmail || p.EmailAddress == userNameOrEmail
select p).FirstOrDefault();
if (qry != null)
{
return qry.TenantId;
}
else
{
throw new Exception("User not found");
}
}
I am calling this function from login function of account controller.
public async Task<JsonResult> Login(LoginViewModel loginModel, string returnUrl = "", string returnUrlHash = "")
{
var tenancyid = _memberAppService.FindTenancyNameByUserNameOrEmail(loginModel.UsernameOrEmailAddress.Trim());
//bla bla code
}
I get following error:
Exception thrown: 'Abp.Authorization.AbpAuthorizationException' in
Abp.dll
Additional information: Current user did not login to the application!
The issue was the user was not belonging to the tenant.
Used the following line to set the tenant id and code worked.
CurrentUnitOfWork.SetFilterParameter(AbpDataFilters.MayHaveTenant, AbpDataFilters.Parameters.TenantId, intTenancyId);
added the [AbpAllowAnonymous] attribute to the service method
The problem is in first line
var qry = (from p in _memberRepository.GetAll()
.GetAll() function create this error as you cannot use Builtin function in linq query.
Instead use
var Myvariable = _memberRepository.GetAll().ToList();
var qry = (from p in Myvariable where p.UserName == userNameOrEmail || p.EmailAddress == userNameOrEmail select p).FirstOrDefault();
The problem is AbpAuthorize Attribute [AbpAuthorize] remove it.
Related
I have a controller form application and the security team they said there is a vulnerability you can put any user_id fom postman inside the controller like this
ForgotPassword/user_id
how I can remove this vulnerability check the code below:
[HttpPost]
[ValidateAntiForgeryToken]
public JsonResult ForgotPassword(string emailId)
{
var helper = new Helper.Helper();
List<SqlParameter> args = new List<SqlParameter>();
args.Add(new SqlParameter("#Pin_email_id", emailId));
var req_resp = new Dictionary<string, object>();
try
{
using (DataSet dataset = helper.ExecuteSqlQuery("Web_Forgot_Password", args))
{
if (dataset != null && dataset.Tables.Count > 0 && dataset.Tables[0].Rows.Count > 0)
{
if (dataset.Tables[0].Rows[0]["Status"].ToString() == "Success")
{
req_resp["status"] = true;
req_resp["message"] = dataset.Tables[0].Rows[0]["Description"].ToString();
req_resp["code"] = dataset.Tables[0].Rows[0]["Code"].ToString();
string password = dataset.Tables[0].Rows[0]["user_password"].ToString();
SendForgotMail(emailId, dataset.Tables[0].Rows[0]["user_name"].ToString(), helper.Decrypt(password), dataset.Tables[0].Rows[0]["employee"].ToString());
return Json(req_resp);
}
else
{
req_resp["status"] = false;
req_resp["message"] = dataset.Tables[0].Rows[0]["Description"].ToString();
req_resp["code"] = dataset.Tables[0].Rows[0]["Code"].ToString();
return Json(req_resp);
}
}
else
{
req_resp["status"] = false;
req_resp["message"] = "Request Failed";
req_resp["code"] = "1005";
return Json(req_resp);
}
}
}
catch
{
var response = new
{
status = false,
message = "Request failed",
code = "1005"
};
return Json(response);
}
}
Well normally you store only password hashes in your database, which are not decryptable. Watching helper.Decrypt(password) in your code and sending the original password as a plain text in email is something painful. Normally I would just send a password reset link which can be used only once.
I checked the SqlParemater docs, it is added as a String value the way you use it, so it is not SQL injectable. Without the exact SQL I cannot tell much. I think they meant that it is SQL injectable, but then they should send evidence at least.
I'm working on a social network with ASP.NET and signalr. I have a simple login page, if it finds the user in the database it creates an Application variable and redirect the user to the profile page and in this page i invoke my Connect method declared in my hub class, this method takes the userid in the session and it give the friend list of this user. That works great when two or many users logged in at different time. The thing is, when two or several users logged in at the same time, the connect method declared in my hub takes the last user id stored in the Application variable and it give the friend list of this last user id and it send it to all user connected.
I can't find the correct approach.
Loggin Page code:
protected void btn_login_Click(object sender, EventArgs e)
{
Tbl_User user = new Tbl_User();
user = FonctionCommun.Login(txt_UserName.Text , txt_PassWord.Text);
if (user != null)
{
Application["UserID"] = user.UserID.ToString();
Response.Redirect("Profile.aspx");
}
else {
Label1.Visible = true;
}
}
My connect method code:
public void connect()
{
UserID = Guid.Parse(HttpContext.Current.Application["UserID"].ToString());
string OutPut = "";
if (ListOnlineUser.Count(x => x.UserID == UserID) == 0)
{
ListOnlineUser.Add(new OnlineUsers { UserID = UserID, ConnetionID = Guid.Parse(Context.ConnectionId) });
objchat.SetOnline(UserID);
ListFriends = objchat.GetFriendLoginStatus(UserID);
}
foreach (Tbl_User item in ListFriends)
{
if (item.Status == "1")
{
OnlineUsers onlineFriend = ListOnlineUser.FirstOrDefault(x => x.UserID == Guid.Parse(item.UserID.ToString()));
if (onlineFriend != null)
{
using (FIESTA_ADVISOREntities BD = new FIESTA_ADVISOREntities())
{
Tbl_User Obj_User = BD.Tbl_User.Where(o => o.UserID == UserID).FirstOrDefault();
if (Obj_User.ProfileImage != null)
{
string ext = BD.Assets.Where(o => o.url == Obj_User.ProfileImage).Select(o => o.MimeType).FirstOrDefault();
UserDetaille res = new UserDetaille() { UserID = Guid.Parse(Obj_User.UserID.ToString()), Username = Obj_User.UserName, ProfileImage = Obj_User.ProfileImage.ToString(), Ext = ext };
OutPut = JsonConvert.SerializeObject(res);
}
else {
UserDetaille res = new UserDetaille() { UserID = Guid.Parse(Obj_User.UserID.ToString()), Username = Obj_User.UserName, ProfileImage = "111", Ext = "png" };
OutPut = JsonConvert.SerializeObject(res); }
Clients.Client(onlineFriend.ConnetionID.ToString()).OnNewUserConnect(OutPut);
}
}
}
}
Clients.Caller.ShowFriends(ListFriends);
}
Try session variable instead of application variable. Application variable shared through out application working. So Whenever new user this is override. But if you use session variable that will never override by any other user
Also you can use query string in signalr in which you can pass userid as query string so in each request userid will be in query string
$.connection.hub.qs = 'userid=' + "UserId";
I am trying add a subscriber to a list but I'm struggling to implement it without any example code.
can anybody help me with the example?
Inspired by this video:
MailChimp.NET Tutorial: Create, Edit And Delete List Members - here my test code to add a subscriber to a 'given list'.
The subscriber will receive an email asking to confirm the subscription. After that confirmation the new subscriber
will be listed in mailchimp campaign list.
(used version mailchimp.net wrapper v:3 with newtonsoft.json version 10.0.3) - this worked for me.
private static readonly IMailChimpManager Manager = new MailChimpManager(ApiKey);
public async Task AddSubscriberToCampaignList(string emailAddress, string listName, string fname, string lname)
{
try
{
var listsAwaitable = Manager.Lists.GetAllAsync().ConfigureAwait(false);
var list = listsAwaitable.GetAwaiter().GetResult().FirstOrDefault(l =>
l.Name.Equals(listName, StringComparison.CurrentCultureIgnoreCase));
if (list != null)
{
//the subscriber
var member = new Member
{
EmailAddress = emailAddress,
StatusIfNew = Status.Pending,
EmailType = "html",
TimestampSignup = DateTime.UtcNow.ToString("s"),
};
if (fname != null && lname != null)
{
var subscriberName = new Dictionary<string, object>
{
{"FNAME", fname},
{"LNAME", lname}
};
member.MergeFields = subscriberName;
}
string campaignListKey = list.Id;
await Manager.Members.AddOrUpdateAsync(campaignListKey, member);
}
}
catch (MailChimpException e)
{
throw;
}
public bool IsUserGroupMember(string user, string unit)
{
bool member = false;
try
{
PrincipalContext ctx = new PrincipalContext(ContextType.Domain);
string[] groups = unit.Split(',');
foreach (string word in groups)
{
GroupPrincipal grp = GroupPrincipal.FindByIdentity(ctx, IdentityType.Name, word);
if (grp != null)
{
foreach (Principal p in grp.GetMembers(true))
{
if (p.SamAccountName == user)
{
member = true;
grp.Dispose();
ctx.Dispose();
return member;
}
}
}
else
{
grp.Dispose();
ctx.Dispose();
return member;
}
}
}
catch (COMException)
{
return member;
}
return member;
}
I'm using the method above to find if a user is member of a group in Active Directory, recursively. It works well..although sometimes I get a weird exception.
Specified method is not supported.
foreach (Principal p in grp.GetMembers(true)) is red (sorry I can't upload a picture of the exception). The weirdest thing is that it seems to be thrown randomly, and if I refresh the page it works well..
I tried to find a solution on the Internet but no happy news for now..
You should do this the other way around: get the user and then the authorization groups that this user is a member of - this call (.GetAuthorizationGroups on the UserPrincipal) already is searching the groups recursively for you!
public bool IsUserGroupMember(string user, string unit)
{
bool isMember = false;
try
{
// put the PrincipalContext in a using(..) block - then it's
// automatically, safely and properly disposed of at the end
using (PrincipalContext ctx = new PrincipalContext(ContextType.Domain))
{
// get the user
UserPrincipal up = UserPrincipal.FindByIdentity(ctx, user);
if(up != null)
{
// get the authorization groups for the user
// this call is *RECURSIVELY* enumerating all groups
// that this user is a member of
var authGroups = up.GetAuthorizationGroups();
// now that you have the groups - just determine if the user
// is a member of the group you're looking for......
}
}
}
catch (COMException comEx)
{
isMember = false;
}
return isMember;
}
I finally ended up with a solution!
I just had to add my domain name, as follow:
PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "MyDomain");
It solved the problem right away!
And about the slowness..I used cookies, following this link.
In an aspx page I get the Windows username with the function Request.LogonUserIdentity.Name. This function returns a string in the format "domain\user".
Is there some function to only get the username, without resorting to the IndexOf and Substring, like this?
public static string StripDomain(string username)
{
int pos = username.IndexOf('\\');
return pos != -1 ? username.Substring(pos + 1) : username;
}
If you are using Windows Authentication.
This can simply be achieved by calling System.Environment.UserName which will give you the user name only.
If you want only the Domain name you can use System.Environment.UserDomainName
I don't believe so. I have got the username using these methods before-
var user = System.Web.HttpContext.Current.User;
var name = user.Identity.Name;
var slashIndex = name.IndexOf("\\");
return slashIndex > -1
? name.Substring(slashIndex + 1)
: name.Substring(0, name.IndexOf("#"));
or
var name = Request.LogonUserIdentity.Name;
var slashIndex = name.IndexOf("\\");
return slashIndex > -1
? name.Substring(slashIndex + 1)
: name.Substring(0, name.IndexOf("#"));
Getting parts[1] is not a safe approach. I would prefer use LINQ .Last():
WindowsIdentity windowsIdentity = WindowsIdentity.GetCurrent();
if (windowsIdentity == null)
throw new InvalidOperationException("WindowsIdentity is null");
string nameWithoutDomain = windowsIdentity.Name.Split('\\').Last();
If you are using .NET 3.5 you could always create an extension method to the WindowsIdentity class that does this work for you.
public static string NameWithoutDomain( this WindowsIdentity identity )
{
string[] parts = identity.Name.Split(new char[] { '\\' });
//highly recommend checking parts array for validity here
//prior to dereferencing
return parts[1];
}
that way all you have to do anywhere in your code is reference:
Request.LogonUserIdentity.NameWithoutDomain();
static class IdentityHelpers
{
public static string ShortName(this WindowsIdentity Identity)
{
if (null != Identity)
{
return Identity.Name.Split(new char[] {'\\'})[1];
}
return string.Empty;
}
}
If you include this code, you could then just do something like:
WindowsIdentity a = WindowsIdentity.GetCurrent();
Console.WriteLine(a.ShortName);
Obviously in a web environment, you wouldn't write to the console - just an example...
An alternative way of doing the same thing as the other answers:
var usernameWithoutDomain = Path.GetFileName(#"somedomain\someusername")
It is just unsafe as not checking for the # variant of usernames.
I was suggesting to use regexpes but they would be overkill.
[System.String.Split](http://msdn.microsoft.com/en-us/library/b873y76a(VS.80).aspx) do the job.
string[] parts= username.Split( new char[] {'\\'} );
return parts[1];