Saturday, January 31, 2009

How to add a Login, Roles and Profile system to an ASP.NET 2.0 app in only 24 lines of code

How to add a Login, Roles and Profile system to an ASP.NET 2.0 app in only 24 lines of code

---------------------------------------------------------------------------------------

I’ve seen a few questions in the forums lately looking for examples on how to use the CreateUserWizard control to create new users in the ASP.NET 2.0 membership system, and then as part of the registration process assign the new user into custom roles and/or collect and store custom profile properties about them (country, address, gender, zipcode, etc).

Stefan from my team had a cool CreateUserWizard control sample that I borrowed and expanded upon to build-up a sample that demonstrates how to build a fairly common user management, roles and personalization system in ASP.NET 2.0 that does this. I was pleasantly surprised to find it only took about 25 lines of C# code in the entire app. J

The sample comes with 6 pages:

Specifically it supports:

1) Login support to enable registered users to login to the web app using forms auth and the new membership system (login.aspx)

2) Registration support to enable visitors to create and register new users in the membership system (CreateNewWizard.aspx)

3) Profile support that enables the site to gather information about the user on registration, and for the users to see that information on a profile page (MyProfile.aspx).

4) Change Password support to enable registered users to change their password in the membership system (ChangePassword.aspx)

5) Password Recovery support to enable users to reset their password if they forgot them (RecoverPassword.aspx)

You can download and run the sample yourself from here. Note that it is built with the final release of VS 2005 and ASP.NET 2.0 – so it won’t work with Beta2 (although it will probably work with the RC).

Implementation Notes on CreateNewWizard.aspx and MyProfile.aspx:

Only two of the above pages (CreateNewWizard.aspx and MyProfile.aspx) have code in them. The others use the built-in Login controls in V2 to-do everything (asp:login, asp:passwordrecovery, asp:changepassword).

CreateNewWizard.aspx is the most interesting page. It uses the built-in server control to-do most of the heavy lifting and has two templated wizard steps defined within the wizard:

wizard step 1: gathering user-account data

The control handles gathering up the user-account, email, password, and password recovery/answer data and then calling into the ASP.NET 2.0 membership system to register the new user. You simply have to override the control’s template and customize the control layout to have things look how you want.

The sample is using the ASP.NET validation controls to perform client-side validation on the inputs as well within the template (example: making sure passwords match, the age is a valid integer, etc). One added benefit in ASP.NET 2.0 is that these validation controls now support client-side validation for FireFox and other modern browsers (note: all screenshots were done using FireFox).

There are then three additional properties (their country, gender and age) that I wanted to gather up about the new user as part of the registration process. Doing this was pretty easy using the new ASP.NET 2.0 Profile system – simply add their definitions within the tag of the web.config file to register them and store their values in the new profile system:

<profile enabled="true">

<properties>

<add name="Country" type="string"/>

<add name="Gender" type="string"/>

<add name="Age" type="Int32"/>

properties>

profile>

I then handled the “CreatedUser” event on the CreateUserWizard control within my CreateNewWizard.aspx.cs code-behind file to retrieve the values from the controls within the CreateUserWizard control template and set them in the profile store:

// CreatedUser event is called when a new user is successfully created

public void CreateUserWizard1_CreatedUser(object sender, EventArgs e) {

// Create an empty Profile for the newly created user

ProfileCommon p = (ProfileCommon) ProfileCommon.Create(CreateUserWizard1.UserName, true);

// Populate some Profile properties off of the create user wizard

p.Country = ((DropDownList)CreateUserWizard1.CreateUserStep.ContentTemplateContainer.FindControl("Country")).SelectedValue;

p.Gender = ((DropDownList)CreateUserWizard1.CreateUserStep.ContentTemplateContainer.FindControl("Gender")).SelectedValue;

p.Age = Int32.Parse(((TextBox)CreateUserWizard1.CreateUserStep.ContentTemplateContainer.FindControl("Age")).Text);

// Save profile - must be done since we explicitly created it

p.Save();

}

Because the user is being created as part of this step, I explicitly choose to create a new Profile object in code (note that I was passing in the CreatedUserWizard1.UserName property as the username – since the user isn’t logged into the system yet). I then accessed the controls within the template of the control, pulled out their values, and stuck them within the newly created profile. Calling p.save at the end registered this profile with the new username. (note: I’ll walk through how we use this profile data later in a page below).

wizard step 2: picking roles

After the user fills out the first step of registration information and clicks the next button, the user is created, the CreatedUser event fires, and we fill in the appropriate information about the user into the profile store.

The control then displays the second step template we’ve defined. This template lists all of the roles currently created in the ASP.NET Role Management system, and allows the user to select which roles they belong to:

Note that you’d typically never assign roles to an end-user this way (instead you’d add your own logic to somehow calculate which role they belong in), but I thought this scenario was cool nonetheless which is why it works like the sample above.

I think it is cool because of the way we populate and access these roles in the template of the . Basically, we have a template definition to the .aspx like this:

<asp:WizardStep runat="server" AllowReturn="False"

OnActivate="AssignUserToRoles_Activate"

OnDeactivate="AssignUserToRoles_Deactivate">

<table>

<tr>

<td>

Select one or more roles for the user:

td>

tr>

<tr>

<td>

<asp:ListBox ID="AvailableRoles" runat="server"

SelectionMode="Multiple" >

asp:ListBox>

td>

tr>

table>

asp:WizardStep>

It simply contains a control named “AvailableRoles”. When this wizard step is loaded (after the user hits the next button on the first step in the wizard), it will fire the “OnActivate” event. We can use this to databind the list of all roles in the system to the above listbox. When the user hits next again, the wizard will fire the “OnDeactivate” event. We can then use this to determine which roles were selected in the above listbox, and use them to update the role-manager system.

The code to-do both of these actions looks like this:

// Activate event fires when user hits "next" in the CreateUserWizard

public void AssignUserToRoles_Activate(object sender, EventArgs e) {

// Databind list of roles in the role manager system to listbox

AvailableRoles.DataSource = Roles.GetAllRoles(); ;

AvailableRoles.DataBind();

}

// Deactivate event fires when user hits "next" in the CreateUserWizard

public void AssignUserToRoles_Deactivate(object sender, EventArgs e) {

// Add user to all selected roles from the roles listbox

for (int i = 0; i <>

if (AvailableRoles.Items[i].Selected == true)

Roles.AddUserToRole(CreateUserWizard1.UserName, AvailableRoles.Items[i].Value);

}

}

That is all of the code for the CreateNewWizard.aspx.cs file – 17 lines total if you omit comments and whitespace (if my count is right).

Next Step: Displaying User Profile Data

The only other page in this scenario that required me to add code was the MyProfile.aspx page. This page looks like this:

The page itself was pretty simple to implement. I simply added a few asp:label controls on the page, as well a listbox for the roles. Populating these controls with the profile and role information involved added a Page_Load event with 7 lines of code like so:

protected void Page_Load(object sender, EventArgs e) {

Country.Text = Profile.Country;

Gender.Text = Profile.Gender;

Age.Text = Profile.Age.ToString();

RoleList.DataSource = Roles.GetRolesForUser(User.Identity.Name);

RoleList.DataBind();

}

Note that the profile object is strongly typed – which means profile properties will get statement completion and compilation checking in VS 2005 with it. I can also then query the role management system to retrieve an array of all the roles the current user belongs to and then databind this to the listbox control.

Since the MyProfile.aspx page requires a user to be logged in (otherwise retrieving profile information about them doesn’t make a lot of sense), I also added a based authorization control tag in my web.config file:

<location path="MyProfile.aspx">

<system.web>

<authorization>

<deny users="?"/>

<allow users="*"/>

authorization>

system.web>

location>

This is the same configuration I would have added in ASP.NET V1.1 – and basically tells the system to deny all users who aren’t logged in (the ? = anonymous), and then allow all users who are logged in (the * = all).

Those who aren’t logged in will get automatically re-directed to the login.aspx page. The control can be used there to allow users who have already registered to log-in without the developer having to write any custom code.

Summary

Hopefully this walks-through a fairly common real-world web app scenario and explains how it can be easily done in ASP.NET 2.0. The ASP.NET 2.0 Membership, Role and Profile system (especially when combined with the new login controls) pack a lot of productivity power.

What is really nice is that they are all built on the new ASP.NET 2.0 provider model. Our of the box ASP.NET ships built-in providers that provide Membership, Roles and Profile storage inside SQL Express, SQL Server and Active Directory stores (the later for Membership and Roles only). What is even better is that you can replace any of these implementations using a custom provider that you either buy or build yourself (see this blog post for more details on how to-do this). Replacing a provider in ASP.NET 2.0 simply involves changing a value in a web.config file – the above code sample will work regardless of what provider was plugged in (LDAP, Oracle, DB2, Custom SQL Table Schema, File-System, etc).


Note: Copyright of this article is Scott. programmer of Microsoft.

Creating Custom Membership and Role Providers

Introduction

In the Part 1 and Part 2 we learnt the concept and internal architecture of ASP.NET provider model. We know that the provider model is extensible and one can implement custom providers to suit his requirement. In this part we will develop two custom providers - one for membership and the other for roles.

Why develop a custom membership and role provider?

Well. There can be many reasons. Here are few:

  • You have custom data store (not SQL Server or Access) in which you want to store user data.
  • You are using some non-standard database for which there is no inbuilt membership or role providers.
  • You want to implement custom encryption mechanism for the data being saved and retrieved
  • You want to write database independent membership and role provider

One more reason that I have not listed in the above list is - You may want to use your own table schema instead of using inbuilt one. At first glance it may look odd but it can be a great way to save your work while migrating applications.

Requirements

Let's decide the requirements for building our custom membership and role providers.

  • We want to use our application database for storing membership and role information. That also means that we do not have a central database for storing membership details of multiple applications
  • We want to store membership details in a table called Users
  • We want to store available roles in the system in a table called Roles
  • We want to store user-role mapping in a table called UserRoles
  • For the sake of simplicity we will not include any encryption-decryption logic
  • User can register by supplying user name, password and email. No security question is required
  • We do not need features such as password reset and accounting locking

Database access

We will be using BinaryIntellect DatabaseHelper open source component for all our database access.

Creating the Web Site

To begin, create a new web site and add two classes called MyMembershipProvider and MyRoleProvider to App_Code folder. For the sake of simplicity we will be creating all the necessary classes in the web site itself. In a more real world situations you may create a separate class library project to contain these classes.

Configuring the web site to use our providers

Open the web.config file and add the following markup:



type="MyMembershipProvider"
connectionStringName="connstr"/>



type="MyRolesProvider"
connectionStringName="connstr"/>

Here, we instruct ASP.NET to use MyMembershipProvider class as membership provider and MyRolesProvider class as roles provider.

Creating custom membership provider

Recollect from Part 2 that custom membership providers need to inherit from System.Web.Security.MembershipProvider class. The MembershipProvider class in turn inherits from ProviderBase class. The MembershipProvider class contains several abstract methods that you must implement in your class.

If you are using VS.NET then your job is simple. Right click on the MembershipProvider class in the class definition line and choose "Implement Abstract Class". VS.NET will add dummy delimitations for all the required methods and properties from the MembershipProvider class. The following table lists all the properties and methods that you need to implement (methods are shown with parenthesis).

Property/Method Name Description
Initialize()* Receives the connection string name specified in the web.config file. You can use it to perform database operation in your class.
Name* Represents name of our custom provider
CreateUser()* Creates a user
UpdateUser()* Saves modified information about an existing user
DeleteUser()* Deletes a user
GetUser()* Gets a user as MembershipUser instance
GetAllUsers()* Gets all the users as MembershipUserCollection
ChangePassword()* Changes password of a user
GetPassword()* Retrieves password of a user. Used when implementing "Forgot Password" feature
ValidateUser()* Authenticates the user
EnablePasswordReset* Indicates whether the password can be reset by the user
EnablePasswordRetrieval* Indicates whether the password can be retrieved by teh user
RequiresQuestionAndAnswer* Indicates whether user should supply a security question and answer during registration
RequiresUniqueEmail* Indicates whether the email supplied during registration should be unique
ApplicationName Name of the web application. This name is used in case you are using a central database for storing membership data of multiple applications
MaxInvalidPasswordAttempts Indicates the number of times user can try to login to the system
MinRequiredNonAlphanumericCharacters Indicates minimum no. of non alpha numeric characters that the user must supply during registration and password change
MinRequiredPasswordLength Indicates the minimum length required for the password when user registers or changes the password
ChangePasswordQuestionAndAnswer() Allows to change user's security question and answer
FindUsersByEmail() Searches user database on the basis of email
FindUsersByName() Searches user database on the basis of user name
GetNumberOfUsersOnline() Returns total no. of uses that are signed in
GetUser() Returns MembershipUser instance representing a specific user
GetUserNameByEmail() Returns the user name on the basis of email
PasswordAttemptWindow Indicates the time span for multiple login attempts
PasswordFormat Indicates the format of password e.g.clear, hashed etc.
PasswordStrengthRegularExpression Indicates a regular expression to be used to check the strength of password
ResetPassword() Resets the password
UnlockUser() Unlocks the user account

In our example we will code the methods and properties marked with * above. The remaining members will simply throw a "Not implemented" exception.

The complete source code of our custom membership provider can be found in the download (MyMembershipProvider.cs). As an example CreateUser() method implementation is given below:

public override MembershipUser CreateUser
(string username, string password,
string email, string passwordQuestion,
string passwordAnswer, bool isApproved,
object providerUserKey,
out MembershipCreateStatus status)
{
MembershipUser user = new MembershipUser(Name,
username, providerUserKey, email, passwordQuestion,
null, isApproved, false, DateTime.Now, DateTime.Now,
DateTime.Now, DateTime.Now, DateTime.Now);
string sql = "INSERT INTO USERS(USERNAME,PASSWORD,
EMAIL,ISACTIVE) VALUES(@UID,@PWD,@EMAIL,@ISACTIVE)";
db.AddParameter("@UID", username);
db.AddParameter("@PWD", password);
db.AddParameter("@EMAIL", email);
db.AddParameter("@ISACTIVE",
(isApproved == true ? "Y" : "N"));
int i = db.ExecuteNonQuery(sql);
if (i > 0)
{
status = MembershipCreateStatus.Success;
return user;
}
else
{
status = MembershipCreateStatus.ProviderError;
return null;
}
}

Creating custom roles provider

Creating custom roles provider involves creating a class that inherits from RoleProvider class. The following table lists all the properties and methods that you need to implement (methods are shown with parenthesis).

Property/Method Name Description
Initialize()* Receives the connection string name specified in the web.config file. You can use it to perform database operation in your class.
Name* Represents name of our custom provider
CreateRole* Create a new role
DeleteRole* Deletes an existing role
GetAllRoles* Returns all roles as string array
RoleExists* Checks if role exists in the database
AddUsersToRoles* Adds users to specified roles
RemoveUsersFromRoles* Removes users from specified roles
GetRolesForUser* Returns all the roles for a specific user
GetUsersInRole* Returns all the users belonging to a specified role
IsUserInRole* Checks if a user exists in a specified role
ApplicationName Name of the web application. This name is used in case you are using a central database for storing membership data of multiple applications
FindUsersInRole Searches for users belonging to a specified role

In our example we will code the methods and properties marked with * above. The remaining members will simply throw a "Not implemented" exception.

The complete source code of our custom membership provider can be found in the download (MyRolesProvider.cs). As an example CreateRole() method is given below:

public override void CreateRole(string roleName)
{
db.AddParameter("@ROLE", roleName);
db.ExecuteNonQuery
("INSERT INTO ROLES(ROLENAME) VALUES(@ROLE)");
}

Testing our providers

There are four test web forms provided along with the download - Default.aspx, Login.aspx, RoleManager.aspx and UserRoles.aspx. The first two test the membership provider and the later two test the roles provider. We use essentially the same Membership and Roles classes of ASP.NET. These classes in turn call our custom provides to get the job done.

Summary

In this article we saw how easy it is to develop your own providers for membership and role management. You can extend the application to suit your needs. You can also add more security features such as encryption and password strength.



Note : this article is collected from the website all right reserved BinaryIntellect Consulting.

Implementing Role Based Security in ASP.NET

Introduction

ASP.NET allows three main ways to authenticating the user of the application. They are - Windows Authentication, Forms Based Authentication and Passport Authentication. Out of these three Windows and Forms authentications are most commonly used for intranet and internet applications respectively. Authentication involves validating that the user is what he claims to be. In many applications this is not just enough. You also need to grant access rights to the user based on his category. This process is referred to as authorization. The category I just mentioned is nothing but the role of the user. In this article we will see how to use Windows as well as Custom roles to authorize users of your application.

What are Principals, Roles and Identities?

Identities
Identities are nothing but the users of your application and allow you to obtain information about that user. The classes (GenericIdentity and WindowsIdentity) and interfaces (IIdentity) required for working with Identities reside in the System.Security.Principal Namespace.
Roles
A role is nothing but a set of access rights that is assigned to the user. One user may have one or more roles. You must be familiar with Windows roles such as Administrator and Guest.
Principals
A Principal is combination of the identity and role(s) of the user. The classes and interfaces related to Principals (GenericPrincipal, WindowsPrincipal and IPrincipal) can be found in System.Security.Principal Namespace.

When to authorize a user?

Note that you should authorize a user only after authenticating. The Request.IsAuthenticated property tells you whether the user is authenticated or not. You should check this in Application_AuthenticateRequest event handler in Global.asax. This event is fired for each request at the time of authenticating the user. If the user is already authenticated by windows or forms authentications then you follow above steps

Authentication in ASP.NET

ASP.NET provides three ways to authenticate your users. They are:
  • Windows
  • Forms
  • Passport
Out of these three the first two are commonly used in ASP.NET applications.

Role based security and Windows Authentication

When you use Windows authentication to authenticate a user, you also have roles for that user based on its Windows group. For example, a user User1 might belong to group Administrators and the same role can be used in ASP.NET applications. You can check whether a user belongs to a particular role or not you need to write something like this:
if(User.IsInRole("BUILTIN\Administrators")
{
//display all options
}
else
{
//display limited options
}
Here, the IsInRole() method is used to check whether a given user has a given role. Note how we used BUILTIN for local users. If you are authenticating domain users you may write something like MYDOMAIN\Administrators. Also, note that here we didn't created any identity or principal object ourselves. Windows and ASP.NET automatically did that for us.

Role based security and Forms authentication

If you are authenticating users via Forms authentication then you need to take care of some extra steps. These steps are:
  • Create a user identity
  • Create an array of roles
  • Create a principal based on user identity and list of roles
  • Attach the principal to the current authenticated user

Create a user identity

User identity is represented by a class that implements IIdentity interface. .NET comes with a class GenericIdentity that is a simple implementation of IIdentity interface. Here, we will create a user identity using GenericIdentity class.
GenericIdentity gi=new GenericIdentity(User.Identity)
Here, we used the same identity object as created by forms authentication (User.Identity) but you can use your own ideality instead.

Create an array of roles

Next, we need to create an string array containing roles to which the user belongs.
string[] roles={"clerk","manager"};

Create a principal based on user identity and list of roles

We will now create a principal based on the identity and role information that we have. .NET provides a class called GenericPrincipal that represents a simple implementation of IPrincipal.
GenericPrincipal gp=new GenericPrincipal(gi,roles);

Attach the principal to the current authenticated user

Finally, we need to attach the principal we just created to the ASP.NET application. The way you do this is as follows:
Context.User = gp;
Here, Context.User represents the current principal of the application. You are replacing it with your own principal (gp). Note that code for all above steps will typically go in Application_AuthenticateRequest event handler inside Global.asax.

Authorizing the user

Once you have done this, authorizing a user is same as in Windows authentication.
if(User.IsInRole("manager")
{
//display all options
}
else
{
//display limited options
}

Summary

In this article we saw how to add role based security to your ASP.NET applications. using IIdentity and Iprincipal interfaces you can create your custom implementation or you can use GEnericIdentity and GenericPrincipal classes. Once you set a custom principal to the user you can use user.IsInRole() method to check whether user belongs to the specified role or not.

User Administration Tool -Part 3

Introduction

In Part 2 of this series we covered user management features. This final part will deal with role management and profile management.

Managing roles

The case for Role management option is shown in Figure 14.

...
case "Roles":
string[] roles = Roles.GetAllRoles();
FillControlsWithRoles(roles);
string[] userroles = Roles.
GetRolesForUser(user.UserName);
foreach (string s in userroles)
{
ListItem li = CheckBoxList1.Items.FindByValue(s);
if (li != null)
li.Selected = true;
}
MultiView1.ActiveViewIndex = 3;
break;
...

Figure 14: Case for Roles

The code gets a list of all the roles defined in the system by calling GetAllRoles() method of the Roles object. The returned roles are supplied as a parameter to a method called FillControlsWithRoles(). This method is discussed shortly and simply fills the CheckBoxList and DropDownList with the roles. The code then proceeds to retrieve a list of roles belonging to the user. This is done by calling GetRolesForUser() method of the Roles object. The for loop iterates through the array of roles returned by the GetRolesForUser() method and checks those roles in the CheckBoxList. Finally ActiveViewIndex property of the MultiView is set to 3.

The Role Management panel allows the administrator to perform in all three tasks � user to role mapping, role creation and role deletion. Once the administrator assigns or removes roles to a user he needs to click on the Update User Roles button. The Click event handler of the Update User Roles button is shown in Figure 15.

protected void Button10_Click(object sender,
EventArgs e)
{
MembershipUser user = Membership.GetUser
(ViewState["username"].ToString());

foreach (ListItem li in CheckBoxList1.Items)
{
if (li.Selected)
{
if (!Roles.IsUserInRole(user.UserName, li.Value))
{
Roles.AddUserToRole(user.UserName, li.Value);
}
}
else
{
if (Roles.IsUserInRole(user.UserName, li.Value))
{
Roles.RemoveUserFromRole(user.UserName, li.Value);
}
}
}
}

Figure 15: Updating user roles

The code iterates through the list of all roles i.e. CheckBoxList items and adds the user to selected roles. This is done by calling AddUserToRole() method of the Roles object. The AddUserToRole() method accepts two parameters � user name and role name. On the same lines the user is removed from the roles unchecked by the administrator. This is achieved by calling RemoveUserFromRole() method of the Roles object. The RemoveUserFromRole() method also accepts the same two parameters as the AddUserToRole() method.

The administrator can create new roles by entering in the role name in the relevant textbox and clicking on the Create button. Figure 16 shows the Click event handler of the Create button.

protected void Button8_Click
(object sender, EventArgs e)
{
Roles.CreateRole(TextBox10.Text);
FillControlsWithRoles(Roles.GetAllRoles());
}

Figure 16: Creating new roles

The code simply calls the CreateRole() method of the Roles object passing the desired role name. After a new role has been added the CheckBoxList and the DropDownList must show the new role and hence FillControlsWithRoles() method is called.

The administrator can delete a role by selecting it from the relevant DropDownList and clicking on the Delete button. The Click event handler of the Delete button is shown in Figure 17.

protected void Button9_Click
(object sender, EventArgs e)
{
Roles.DeleteRole(DropDownList2.SelectedValue);
FillControlsWithRoles(Roles.GetAllRoles());
}

Figure 17: Deleting a role

The code calls DeleteRole() method of the Roles object passing the role name to be deleted. In order to reflect the change in the CheckBoxList and DropDownList the FillControlsWithRoles() method is called again.

We have been using the FillControlsWithRoles() method at many places. The code for this helper method is shown in Figure 18.

private void FillControlsWithRoles
(string[] roles)
{
CheckBoxList1.Items.Clear();
DropDownList2.Items.Clear();
foreach (string s in roles)
{
CheckBoxList1.Items.Add(s);
DropDownList2.Items.Add(s);
}
}

Figure 18: Filling controls with roles

The method simply clears the CheckBoxList and DropDownList control and refills them with the roles array passed as a parameter.

This complete the user role management. Now we will move on to coding the last feature i.e. Profile management.

Viewing user profiles

The case of the Profile Management option looks as shown in Figure 19.

...
case "Profile":
ProfileCommon pc = Profile.
GetProfile(user.UserName);
DropDownList3.Items.Clear();
foreach (SettingsProperty p in
ProfileCommon.Properties)
{
DropDownList3.Items.Add(p.Name);
}
MultiView1.ActiveViewIndex = 4;
break;
...

Figure 19: Case for profile management

The code retrieves profile of the user by calling GetProfile() method. The GetProfile() method accepts the user name whose profile is to be retrieved. The profile is returned as an instance of ProfileCommon class. The code then iterates through all the profile properties using Properties collection of the ProfileCommon class. Each element of the Properties collection is of type SettingsProperty. The name of each profile property is added to the relevant DropDownList. Note that the profile properties from a property group are shown using dot (.) notion. Finally ActiveViewIndex property of the MultiView is set to 4.

The administrator can modify any of the profile properties or he can delete the entire profile of the user. When the administrator selects a particular profile property from the DropDownList, its value is shown a textbox. This is done in the SelectedIndexChanged event of the DropDownList (Figure 20).

protected void DropDownList3_
SelectedIndexChanged(object sender, EventArgs e)
{
MembershipUser user = Membership.GetUser
(ViewState["username"].ToString());
ProfileCommon pc = Profile.GetProfile
(user.UserName);
object obj = pc.GetPropertyValue
(DropDownList3.SelectedValue);
TextBox11.Text = obj.ToString();
}

Figure 20: Showing value of a profile property

The code retrieves profile of the user. The value of selected profile property is retrieved using GetPropertyValue() method of the ProfileCommon instance. The returned value is displayed in a textbox so that the administrator can edit it if required. If the administrator changes value of any profile property he needs to click on the Save button. The Save button sets the profile property to a new value and saves it in the underlying profile data store. This is shown in Figure 21.

protected void Button11_Click
(object sender, EventArgs e)
{
MembershipUser user = Membership.GetUser
(ViewState["username"].ToString());
ProfileCommon pc = Profile.GetProfile
(user.UserName);
object obj = pc.GetPropertyValue
(DropDownList3.SelectedValue);
pc.SetPropertyValue(DropDownList3.SelectedValue,
Convert.ChangeType(TextBox11.Text, obj.GetType()));
pc.Save();
}

Figure 21: Modifying a profile property

The code first retrieves the value of the profile property by calling GetPropertyValue() method of the ProfileCommon instance. Wondering why we do that? This is necessary because while setting the new value we need to typecast the string from the textbox to appropriate data type. The call to SetPropertyValue() method will make this clear. The SetPropertyValue() method accepts property name and the new value as parameters. The property value parameter is of type object. While passing the new value we need to convert into the appropriate data type otherwise an exception will be thrown. That�s why the code uses ChangeType() method of the Convert class. The ChangeType() method accepts two parameters � value and the destination data type. Note that we pass the data type of the value previously retrieved here. Finally Save() method of the ProfileCommon instance is called to persist the changes in the underlying data store.

In order to delete the complete profile of a user the administrator can click on the Delete Profile for this user LinkButton. The code that deletes the profile is shown in Figure 22.

protected void LinkButton2_Click
(object sender, EventArgs e)
{
MembershipUser user = Membership.GetUser
(ViewState["username"].ToString());
bool result = ProfileManager.
DeleteProfile(user.UserName);
}

Figure 22: Deleting user profile

The code calls DeleteProfile() method of ProfileManager class by passing the user name to it. The ProfileManager class is used to perform various profile related tasks such as deleting profiles and searching profiles.

That�s it! Our own User Administration Tool is ready to use. Simply drag and drop the Members.ascx on the default web form and run.


Note : this article is collected from the website all right reserved BinaryIntellect Consulting.

User Administration Tool -Part 1

ASP.NET membership, role and profile features make it easy to develop a membership driven web site. However, equally important is a way to administer and manage the users registered with the web site. If you have managed any membership driven web site then you would be familiar with the complaints about forgotten passwords, forgotten user ids and change in email addresses.

Visual Studio provide an inbuilt tool called Web Site Administration Tool that allows you to administer various aspects including membership, roles and application configuration. However, many times it is needed that the user management facility be provided as a part of the web site itself. This way the web site administrator can manage the users from anywhere. The Web Site Administration Tool suffers from some limitations in such cases. Those limitations are:

  • We can not make that tool as a part of your web site
  • The look and feel of the tool may not fit in the theme of our web site
  • We can not view and manage all the information about the users. E.g. user status and activity
  • We can not view profile information of the users
  • We can not do tasks such as password retrieval and reset
  • The tool allows us to modify settings other than membership and roles which might be undesirable

The User Administration Tool

Because of these limitations often we need to roll out our own administrative pages that handle user administration. In this article we will develop a user control that will allow us to administer all the aspect of users and their membership. Specifically the user control will allow us to:

  • Create new users
  • Search for one or more users
  • Modify user information such as email and comments
  • See status of a user
  • View activity of a user
  • Manage password of a user
  • Manage role information
  • View and modify profile information of a user

We will create it as a user control so that it can be added easily to any of the existing web forms. For the rest of the discussion we will call our user control as “User Administration Tool”.

Before we begin any development let’s see how the User Administration Tool is going to look like.

Figure 1 shows the User Administration Tool.

Figure 1 : The User Administration Tool

The tool consists four major sections. On the top it provides searching facility. Search can be based on email or user name. Wild cards (_ and %) are allowed.

Below the search area a GridView displays list of all the users or users filtered depending on the search criteria. The user can be deleted using the Delete button. There is a DropDownList that allows you select which options to display and upon clicking on the Show button the information is displayed on the right hand side. You can also change the email address and comments of a user.

Below the GridView there is facility to create new users.

The right hand side area i.e. the area below “Managing Details for…” label displays various settings related to user status, activity, security, roles and profile.

Creating a web site and a database

In order to begin, create a new web site in VS.NET 2005. Add a new Web User Control called Members.ascx. Open SQL Server Management Studio and create a new database called UserAdminToolTestDb. Note that we could have used an existing database such as Northwind but for the sake of completeness we are create a brand new database. Figure 2 shows the New Database dialog of SQL Server Management Studio.

Figure 2: New Database dialog of SQL Server Management Studio

Configuring membership, role and profile providers

Now that we have created the database it’s time to configure it to support membership, roles and profile features. These features are collectively called as application services. ASP.NET provides a command line tool called aspnet_regsql.exe that can be used for enabling and disabling the application services. The aspnet_regsql.exe tool can be used in command line mode or wizard mode for this purpose. We will use the later mode for configuring the database.

Open Visual Studio.NET 2005 Command Prompt from the Visual Studio 2005 program group. Type aspnet_regsql.exe and hit enter. The aspnet_regsql tool should start itself in wizard mode. The wizard consists of five steps. Figure 3 shows the first step of the wizard.

Figure 3: Step 1 of aspnet_regsql.exe tool

The second step (Figure 4) asks you whether you want to enable or disable application services. Select “Configure SQL Server for application services” radio button and click on Next.

Figure 4: Step 2 of aspnet_regsql.exe tool

The third step (Figure 5) accepts database details such as server name, authentication method and database name. After entering the required details click Next.

Figure 5: Step 5 of aspnet_regsql.exe tool

The fourth step (Figure 6) simply shows the summary of the settings. Clicking Next actually starts the configuration process.

Figure 6: Step 4 of aspnet_regsql.exe tool

The final step (Figure 7) is just a confirmation that the tool has configured the database correctly.

Figure 7: Step 5 of aspnet_regsql.exe tool

The aspnet_regsql.exe tool creates several tables and stored procedures (prefixed with aspnet_) in the underlying database. These tables and stored procedures are used by the membership, roles and profile features.

Configuring the membership, role and profile providers for web site

Configuring your database for supporting membership, role and profile features is just half part of the story. We also need to configure the web site so that Membership, Roles and Profile objects (as well as login controls if they are being used in the web site) correctly point to the required data store. This is achieved by adding some markup in the web.config file.

Open the web.config file and add a section as shown in Figure 8.




Figure 8: Storing database connection string

The stores zero or more database connection strings. In our case we have added a connection string named connstr pointing to UserAdminToolTestDb database we created earlier. The connection string shown in Figure 8 uses integrated security. One needs to modify it depending on the SQL Server setup.

Now add the markup as shown in Figure 9 to configure membership and role provider.










Figure 9: Configuring membership and role provider

The tag configures the membership provider where as the tag enables and configures the role provider. Both these sections point to our database connection string connstr. Note how password reset, retrieval features are enabled using enablePasswordReset and enablePasswordRetrieval attributes. Also note how the password storage format is specified using the passwordFormat attribute. The passwordFormat attribute takes three possible values – Clear, Encrypted and Hashed. Since we are using SQL Server database the type attribute of membership configuration is set to System.Web.Security.SqlMembershipProvider. The SqlMembershipProvider class handles all the intricacies of membership management with the underlying database. On the same lines type attribute of role manager configuration points to System.Web.Security.SqlRoleProvider.

Finally, add the markup for configuring profile provider and profile properties. The markup looks as shown in Figure 10.














Figure 10: configuring profile provider

The section does two jobs. First it configures the profile provider and second it configures the profile properties and groups. The profile provider configuration points to our connection string. This time the type that handles ins and outs of profile management is System.Web.Profile.SqlProfileProvider. Various profile properties and a profile group is defined with and tags respectively. We have deliberately added a DateTime property called DOB so that we can test the implication of using data types other than string. We have also added a property group so that we can test how these groups can be accessed. (These points will become clear when we code related functionality later on)

Designing the GridView for displaying list of users

Now that we have set up the database let’s display a list of users in a GridView. In order to do so open the Members.ascx user control that we added to the web site earlier. Add a base table with three rows and two columns on to the user control designer. Drag and drop a GridView control as shown in Figure 1. A collection of MembershipUser objects will be acting as the data source for the GridView. Set AllowPaging property of the GridView to true. From the smart tag of the GridView click on “Edit Columns…” link to open the Fields dialog. Figure 11 shows the Fields dialog of the GridView.

Figure 11: Fields dialog of GridView

Add a TemplateField and set its HeaderText property to “Users”. Ensure that “Auto-generate fields” checkbox is unchecked and close the dialog. Design the ItemTemplate and EditItemTemplate as shown in the Figure 12.

Figure 12: ItemTemplate and EditItemTemplate of GridView

The ItemTemplate consists of a Label control for displaying the user name, HyperLink control for displaying email address and another Label control for displaying comments about the user. The template also has Button controls titled Edit and Delete. Finally, there is a DropDownList that contains possible user options (Status, Security etc.) and a Button titled Show.

Once you design the ItemTemplate open the smart tag for user name Label and select “Edit DataBindings…” option to open DataBindings dialog as shown in Figure 13.

Figure 13: DataBindings dialog

Select Text property from the “Bindable Properties” list. In the “Code expression” textbox enter Eval(“UserName”). This will bind the Text property of the Label with the UserName property of the underlying data element. Similarly bind the Text and NavigateUrl properties of the HyperLink with Email property of the underlying data element. Also bind Text property of comment label to Comment property of the underlying data element. From the smart tag of DropDownList select “Edit Items…” option to open the ListItem Collection Editor as shown in Figure 14.

Figure 14: ListItem Collection Editor

Add five items namely – Status, Activity, Security, Roles and Profile. Finally set the CommandName property of Edit and Delete buttons to “Edit” and “Delete” respectively. This completes the design of ItemTemplate.

The EditItemTemplate consists of a Label control for displaying user name and two textboxes for editing email and comments respectively. The newly entered data is saved using the Save button and the edit operation can be cancelled using the Cancel button. Data bind the Label and Textboxes with UserName, Email and Comment properties exactly as before. Also set the CommandName property of the Save and Cancel buttons to “Update” and “Cancel” respectively. This completes the design of EditItemTemplate.

Designing user interface for searching users

In order to design a user interface for searching users, drag and drop a Panel control above the GridView that we just designed. Set the GroupingText property of the panel to “Find Users”. Add a table with four rows and two columns and place controls as shown in Figure 15.

Figure 15: Find Users panel

The Find Users panel consists of two Textboxes for accepting search criterions for email search and user name search respectively. Search criteria can contain wild cards _ (single character) and % (any number of characters). Clicking on the respective Go button will display only the matching records in the GridView. At the top there is a LinkButton for clearing the filter criteria so that the GridView displays the complete list of users.

Designing user interface for creating new users

Designing user interface for creating new users is fairly simple. Simply drag and drop a CreateUserWizard control below the GridView that we designed previously. Apply some formatting theme to it if required. That’s it.

Designing user interface for displaying user details

The user interface for displaying user details consists of MultiView and View controls. In order to design the interface, drag and drop a MultiView control on the right hand side of the GridView and Find Users panel (refer Figure 1). Drag and drop five View controls inside the MultiView control. Further drag and drop a Panel control in each of the View control and set their GroupingText property to User Status, User Activity, Security, Role Management and Profile Management respectively.

Design the first View control as shown in Figure 16.

Figure 16: View control for displaying User Status

The View for User Status consists of three Checkbox controls and a Button control. The checkboxes indicate if the user is active, locked out or online. The administrator can mark a user as inactive by un-checking the Is Active checkbox. The “Is Locked Out” checkbox is enabled only if the user is locked i.e. user can only be unlocked by the administrator. The “Is Online” checkbox is always disabled. It simply displays the on-line status of the user. The changes can be saved by clicking the Save Changes button.

Now design the second View control as shown in Figure 17.

Figure 17: View control for displaying User Activity

The second View control shows the activity of the user in terms of creation date, last activity date, last lockout date, last login date and last password change date. All the information displayed here is read only.

Design the third View control as shown in Figure 18 and 19.

Figure 18: View control for managing security details

Figure 19: View control for managing security details

The third View control allows the administrator to change the password of a user or the password question and answer. It also allows the administrator to retrieve or reset the password. The Get Password button is enabled only if the password retrieval feature is enabled on the membership provider. Similarly the Reset Password button is enabled only if the password reset feature is enabled on the membership provider. Note that for the sake of simplicity we have not taken any care of validating the inputs.

It’s time to design the fourth View control. This View control allows the administrator to manage roles in the system as well as user to role mapping. Design the View control as shown in Figure 20.

Figure 20: View control for managing roles

The “Add/Remove user from role(s)” section displays a list of all the roles with the roles to which the user belongs to as checked. The administrator can add or remove the user from one or more role(s) and click on Update User Roles button to save the changes. The administrator can also create a new role or delete existing roles. Note that for the sake of simplicity we have not taken any care of validating the inputs.

Finally design the fifth View control as shown in Figure 21

Figure 21: View control for managing profile

The fifth View control allows the administrator to manage profile of a user. A DropDownList shows a list of all the profile properties. The property values can be read or changed. Clicking on the Save button saves the changes. The administrator can also delete the profile of the user. Note that profile properties can be of a user defined type (customer class for example). Such properties of course can not be read or modified via this tool.

That’s it! We have just completed designing the user interface of the User Administration Tool. The mark up of Members.ascx is bit lengthy and hence not given here. You can get it in the download accompanying this article.

Conclusion

Membership, Role and Profile features come handy while building a secure membership driven web site. Often the administrators need a tool that allows them to manage users easily. In the Part 1 of this series we kicked off developing such a flexible yet simple tool. We developed user interface of a web user control for managing various aspect of user administration such as password recovery, role mapping and profile management. In the Part 2 of this article we will code the functionality to make our user control functional

Note : this article is collected from the website all right reserved BinaryIntellect Consulting.

User Administration Tool -Part 2

In the Part 1 of this series we started developing a web user control that allows us to manage various aspects of user administration such as password recovery, role mapping and profile management. We configured the database and web site for availing membership, role and profile features of ASP.NET. Continuing our development further we will now code various pieces of the functionality.

Binding the GridView with list of users

ASP.NET provides an inbuilt member called Membership through which membership information can be retrieved. In order to retrieve a list of users and bind them with the GridView we write a method called BindGrid(). There are two overloads of this method. One accepting the search criteria and search by option and the other without any parameters. Figure 1 shows these two overloads.

private void BindGrid(string criteria,FindByOptions option)
{
MembershipUserCollection m =null;
if (option == FindByOptions.Email)
{
ViewState["emailcriteria"] = criteria;
m = Membership.FindUsersByEmail(criteria);
}
else
{
ViewState["usernamecriteria"] = criteria;
m = Membership.FindUsersByName(criteria);
}
GridView1.DataSource = m;
GridView1.DataBind();
}
private void BindGrid()
{
if (ViewState["emailcriteria"] != null)
{
BindGrid(ViewState["emailcriteria"].ToString(),
FindByOptions.Email);
return;
}
if (ViewState["usernamecriteria"] != null)
{
BindGrid(ViewState["usernamecriteria"].ToString(),
FindByOptions.UserName);
return;
}
MembershipUserCollection m = Membership.GetAllUsers();
GridView1.DataSource = m;
GridView1.DataBind();
}

Figure 1: Binding GridView with a list of users

The first overload takes two parameters. The search criteria is a string containing the search pattern. The second parameter is of type FindByOptions. FindByOptions is an enumeration defined by us and looks like this:

public enum FindByOptions
{
Email,UserName
}

Through the enumeration we specify whether we want to find users on the basis of their email address or user name. Depending on this parameter we call FindUsersByEmail() or FindUsersByName() method of Membership object. The return value of FindUsersByEmail and FindUsersByName methods is a collection of type MembershipUserCollection. Each member of this collection is of type MembershipUser and represents a user. The MembershipUserCollection acts as a data source for the GridView. Note that the code creates two ViewState variables - emailcriteria and usernamecriteria - to store the corresponding search criterions. This way we can filter the users across post backs. This overload of the BindGrid() method is called when the administrator clicks on any of the Go buttons of the Find Users panel.

In the second overload of the BindGrid() method the code checks for existence of the same two ViewState variables. Their presence indicates that some search filter is active. If any search filter is active then the previous overload of the BindGrid() is called. Otherwise the code calls the GetAllUsers() method of Membership object. The GetAllUsers() method returns all the users of the web site in the form MembershipUserCollection. The collection is then bound with the GridView as before. This overload of BindGrid() is called from the Load event of the user control and also from various other places.

Figure 2 shows the Page_Load event handler of the user control.

protected void Page_Load(object sender,
EventArgs e)
{
CreateUserWizard1.ContinueDestinationPageUrl =
Request.Path;
if (!IsPostBack)
BindGrid();
}

Figure 2: Page_Load event handler of user control

The code sets the ContinueDestinationPageUrl property of the CreateUserWizard control to the URL of the current web form. This way the administrator is redirected to the same web form after clicking the Continue button of the CreateUserWizard control. The code also calls the BindGrid() method to bind the GridView with the list of users.

Handling Paging and Data Binding of the GridView

There might be many users registered with the web site and hence the GridView must implement paging functionality. Since we are not using any Data Source controls we need to implement paging functionality ourselves. In order to do so we must handle two events related to paging � PageIndexChanging and PageIndexChanged. The former is raised when a new page number is selected but before navigating to the new page. The later is raised when the page index has been changed. Figure 3 shows the event handlers for these two events.

protected void GridView1_PageIndexChanging
(object sender, GridViewPageEventArgs e)
{
GridView1.PageIndex = e.NewPageIndex;
BindGrid();
}

protected void GridView1_PageIndexChanged
(object sender, EventArgs e)
{
Label21.Text = "";
MultiView1.ActiveViewIndex = -1;}

Figure 3: Handling paging of the GridView

The PageIndexChanging event handler receives an event argument of type GridViewPageEventArgs. The GridViewPageEventArgs class contains a property called NewPageIndex that specifies the new page index. The code sets the PageIndex property of the GridView to the value indicated in the NewPageIndex property and calls the BindGrid() method.

In the PageIndexChanged event we clear off the MultiView by setting its ActiveViewIndex property to -1. This way no View control will be visible and we will be saved from the mismatch between currently displayed users and user details already shown. For the same reason we also set the title label to empty string.

When the administrator clicks on the Show button from a row we need to display the details about that user. That means the Click event handler of the Show button needs to know the UserName of the user that is shown by that row. In order to satisfy this requirement we handle RowDataBound event of the GridView. The RowDataBound event is raised for each and every row (including header and footer row) when the row is data bound. Figure 4 shows the RowDataBound event handler of the GridView.

protected void GridView1_RowDataBound
(object sender, GridViewRowEventArgs e)
{
if (e.Row.RowType == DataControlRowType.DataRow &&
e.Row.RowState == DataControlRowState.Normal)
{
Button b1 = (Button)e.Row.FindControl("Button1");
Label l = (Label)e.Row.FindControl("Label1");
b1.CommandName = e.Row.RowIndex.ToString();
b1.CommandArgument = l.Text;
}
}

Figure 4: Handling RowDataBound event of the GridView.

We need to execute our code only for the rows that contain data i.e. excluding header and footer rows and those that are in read only mode. This is done with the help of RowType and RowState properties as shown. The code then retrieves a reference to the Show button and user name label by calling FindControl() method. Then the CommandName property of the button is set to the current row index. Similarly the CommandArgument is set to the user name as displayed in the label. This way the Show button�s Click event handler will know which row has been clicked and what the corresponding user name is.

Editing and deleting users

Recollect that we have Edit, Delete, Update and Cancel buttons in the ItemTemplate and EditItemTemplate of the GridView template column. We have set the CommandName property of these buttons to Edit, Delete, Update and Cancel respectively. Due to this these buttons will raise RowEditing, RowDeleting, RowUpdating and RowCancelingEdit events when clicked. We will handle these events in order to add editing capabilities to our GridView. Figure 5 shows the event handlers for these events.

protected void GridView1_RowEditing
(object sender, GridViewEditEventArgs e)
{
GridView1.EditIndex = e.NewEditIndex;
BindGrid();
}

protected void GridView1_RowUpdating
(object sender, GridViewUpdateEventArgs e)
{
Label l=(Label) GridView1.Rows[e.RowIndex].
FindControl("Label1");
TextBox t1 = (TextBox)GridView1.Rows[e.RowIndex].
FindControl("TextBox12");
TextBox t2 = (TextBox)GridView1.Rows[e.RowIndex].
FindControl("TextBox13");
MembershipUser user = Membership.GetUser(l.Text);
user.Email = t1.Text;
user.Comment = t2.Text;
Membership.UpdateUser(user);
GridView1.EditIndex = -1;
BindGrid();
}

protected void GridView1_RowCancelingEdit
(object sender, GridViewCancelEditEventArgs e)
{
GridView1.EditIndex = -1;
BindGrid();
}

protected void GridView1_RowDeleting
(object sender, GridViewDeleteEventArgs e)
{
Label l = (Label)GridView1.Rows[e.RowIndex].
FindControl("Label1");
Membership.DeleteUser(l.Text);
BindGrid();
}

Figure 5: Editing and deleting related event handlers

The RowEditing event handler receives a parameter of type GridViewEditEventArgs. The GridViewEditEventArgs class contains a property called NewEditIndex that indicates the row index of the row whose Edit button has been clicked. The code sets EditIndex property of the GridView to the value of the NewEditIndex property. Setting the EditIndex property will cause the GridView to enter in edit mode and EditItemTemplate will be displayed. The code then calls the BindGrid() method to bind the GridView again.

The RowUpdating event is the important event wherein the actual operation of updating the user is done. The RowUpdating event receives a parameter of type GridViewUpdateEventArgs. The GridViewUpdateEventArgs class provides the row index of the row being updated via RowIndex property. The code retrieves a reference to the row being updated from the Rows collection of the GridView. The code further obtains references to the user name label and email and comment textboxes using FindControl() method. The MembershipUser object corresponding to the specified user is obtained using the GetUser() method of the Membership object. The code then updates the Email and Comment properties of the MembershipUser instance and updates the user information back using UpdateUser() method of the Membership object. Finally, EditIndex property of the GridView is set to -1 to take the GridView back into read only mode.

The RowCancelingEdit event handler simply sets the EditIndex property of the GridView to -1 and binds the GridView again. This will take the GridView into read only mode.

The RowDeleting event handler receives a parameter of type GridViewDeleteEventArgs. The GridViewDeleteEventArgs class supplies the RowIndex of the row whose Delete button has been clicked. This RowIndex is used to retrieve the row being deleted from Rows collection of the GridView. Once the UserName is obtained from the user name label the code calls DeleteUser() method of the Membership object and rebinds the GridView.

Showing the user information

Each row of the GridView displays a Show button in addition to Edit and Delete buttons. The administrator can select the category of information to view and click on the Show button. Figure 6 shows the outline of code that goes in the Click event handler of the Show button.

protected void Button1_Click1
(object sender, EventArgs e)
{
Button b = (Button)sender;
MembershipUser user = Membership.
GetUser(b.CommandArgument.ToString());
ViewState["username"] = user.UserName;
Label21.Text = "Managing Details for " + user.UserName;
DropDownList ddl = (DropDownList)GridView1.
Rows[int.Parse(b.CommandName)].FindControl("DropDownList1");
switch (ddl.SelectedValue)
{
case "Status":

case "Activity":

case "Security":

case "Roles":

case "Profile":

}
}

Figure 6: Click event handler of Show button

The code first typecasts the sender parameter into a Button. This way we get reference to the Show button that is being clicked. Recollect that we have set the CommandArgument property of the Show button to the UserName. The code retrieves a MembershipUser instance by calling GetUser() method of the Membership object passing this CommandArgument as a parameter. The MembershipUser instance is used by the remaining code to extract required information about the user. The title label shows the UserName of the user whose details are being shown. The UserName is persisted in a ViewState variabled called username for later reference. Finally there is a switch statement that tests the selection in the DropDownList control. Each case of the switch statement populates and displays the corresponding View control from the MultiView control. The code of each case is discussed next.

Showing user status

The User Status panel shows whether the user is active, locked our and on line. The case for user status contains the code as shown in Figure 7.

...
case "Status":
CheckBox1.Checked = user.IsApproved;
CheckBox2.Checked = user.IsLockedOut;
CheckBox3.Checked = user.IsOnline;
if (user.IsLockedOut)
{
CheckBox2.Enabled = true;
}
else
{
CheckBox2.Enabled = false;
}
MultiView1.ActiveViewIndex = 0;
break;
...

Figure 7: Case for User Status

The code simply sets the checkbox values depending on the three Boolean properties of MembershipUser instance � IsApproved, IsLockedOut and IsOnline. The user might have registered with the web site but his account may not be activated. This is indicated by the IsApproved property. By default when the user performs five unsuccessful login attempts his account gets marked as locked. This is indicated by IsLockedOut property. The administrator can unlock a user only if his account is locked. Hence the lock out checkbox is enabled only if the account is locked out. Similarly the IsOnLine property indicates whether the user is currently logged in to the web site. The administrator can not change the on line status of the user and hence the related checkbox is always disabled. After assigning the Checked property the ActiveViewIndex property of the MultiView is set to 0. This causes the MultiView to show the User Status panel in the browser.

Showing user activity

The case for User Activity looks like Figure 8.

...
case "Activity":
Label11.Text = user.CreationDate.ToString();
Label12.Text = user.LastActivityDate.ToString();
Label13.Text = user.LastLockoutDate.ToString();
Label14.Text = user.LastLoginDate.ToString();
Label15.Text = user.LastPasswordChangedDate.ToString();
MultiView1.ActiveViewIndex = 1;
break;
...

Figure 8: Case for User Activity

The code in Figure 8 is fairly simple. It simply retrieves various activity related properties and sets the labels accordingly. All the activity related properties return DateTime instance. The CreationDate property returns the date and time at which the user registered with the web site. The LastActivityDate property indicates the date and time when the user was last authenticated. The LastLockoutDate property returns the date and time when the user account was last locked out. A user account can get locked out when the user tries to signing in unsuccessfully for the number of attempts as indicated by MaxInvalidPasswordAttempts property of the underlying provider. The LastLoginDate property returns the date and time at which the user last logged in to the web site. Finally LastPasswordChangedDate property returns the date and time when the user last changed the password. The ActiveViewIndex property of the MultiView control is set to 1 this time.

Managing security details

The case for Security is shown in Figure 9.

...
case "Security":
Label22.Text = user.PasswordQuestion;
if (!Membership.Provider.EnablePasswordReset)
{
Button5.Enabled = false;
}
if (!Membership.Provider.EnablePasswordRetrieval)
{
Button4.Enabled = false;
}
if (Membership.Provider.PasswordFormat ==
MembershipPasswordFormat.Hashed)
{
Button4.Enabled = false;
Button5.Enabled = false;
}
MultiView1.ActiveViewIndex = 2;
break;
...

Figure 9: Case for Security

The code displays the password question as entered by the user at the time of registration. Then the code checks if the password reset feature is enabled by the membership provider. This is done by checking the EnablePasswordReset property. Depending on the outcome of the check the Reset Password button is enabled or disabled. On the same lines the code checks if the password retrieval feature is enabled by the membership provider. This is done by checking the EnablePasswordRetrieval property. Additionally the code checks if the password storage format is Hashed. Hashed passwords can not be retrieved even if EnablePasswordRetrieval property returns true. Accordingly the Get Password button is enabled or disabled. Finally ActiveViewIndex property of the MultiView control is set to 2 so that the Security View is shown.

The Security panel allows the administrator to perform in all four operations � changing the password, changing the security question and answer, retrieve password and reset password. The Click event handler for Change Password button is shown in Figure 10.

protected void Button6_Click
(object sender, EventArgs e)
{
MembershipUser user = Membership.
GetUser(ViewState["username"].ToString());
bool result = user.ChangePassword(
TextBox3.Text, TextBox4.Text);
}

Figure 10: Changing the password

The code retrieves the MembershipUser instance by calling GetUser() method of the Membership object. Recollect that the Click event of the Show button stores the user name in a ViewState variable called username. The same ViewState variable is used here and passed to the GetUser() method. Finally ChangePassword() method of the MembershipUser instance is called. The ChangePassword() method accepts the old and new passwords and returns the true or false depending on success or failure to change the password.

Figure 11 shows the Click event handler of the Change Password Q & A button.

protected void Button7_Click
(object sender, EventArgs e)
{
MembershipUser user = Membership.GetUser(
ViewState["username"].ToString());
bool result = user.ChangePasswordQuestionAndAnswer(
TextBox6.Text, TextBox7.Text, TextBox8.Text);
}

Figure 11: Changing the password question and answer.

The code retrieves the MembershipUser instance by calling GetUser() method of the Membership object. Then ChangePasswordQuestionAndAnswer() method of the MembershipUser instance is called. The ChangePasswordQuestionAndAnswer() method accepts three parameters � password, new question and new answer. The method returns true or false indicating the successor failure of the operation.

The Click event handler of the Get Password button is shown in Figure 12.

protected void Button4_Click
(object sender, EventArgs e)
{
MembershipUser user = Membership.GetUser(
ViewState["username"].ToString());
string str = user.GetPassword(TextBox9.Text);
Label30.Text = "Password :" + str;
}

Figure 12: Retrieving the password

The code retrieves the MembershipUser instance by calling GetUser() method of the Membership object. In order to retrieve password of the user GetPassword() method is called. The GetPassword() method accepts password answer as a parameter and returns the password. The password is then displayed in a label.

Finally the Click event handler of Reset Password button is shown in Figure 13.

protected void Button5_Click
(object sender, EventArgs e)
{
MembershipUser user = Membership.GetUser(
ViewState["username"].ToString());
string str = user.ResetPassword(TextBox9.Text);
Label30.Text = "Password has been reset to :" + str;
}

Figure 13: Resetting the password

The code retrieves the MembershipUser instance by calling GetUser() method of the Membership object as before. Then ResetPassword() method of the MembershipUser instance is called. The method accepts the password answer as a parameter and returns the new password as a return value. The new password is then displayed in a label.

Summary

In this part we covered display of user information and password management. The next part will deal with role management and managing profile of the user.

Note : this article is collected from the website all right reserved BinaryIntellect Consulting.