Security / Membership & Role Providers / User Manager / Advanced
Implementing the Business Rules
Instead of allowing the application framework to handle the CRUD operations, let’s prevent the default behavior and implement several business rules. These business rules with use the ASP.NET Membership API to insert, update, and delete users.
Insert
In the Project Explorer, right-click on Users / Business Rules node, and press New Business Rule.
Assign the following properties:
| Property | Value |
| Type | C# / Visual Basic |
| Command Name | Insert |
| Phase | Before |
Press OK to save the business rule. On the toolbar, press Browse to regenerate the web app and create the business rule file. When finished, right-click on Users / Business Rules / Insert (Code / Before) – r101 node and press Edit Rule in Visual Studio.
Replace the content of the file with the following:
C#:
using System; using System.Web; using System.Web.Security; using MyCompany.Data; using MyCompany.Security; namespace MyCompany.Rules { public partial class UsersBusinessRules : MyCompany.Data.BusinessRules { /// <summary> /// This method will execute in any view before an action /// with a command name that matches "Insert". /// </summary> [Rule("r101")] public void r101Implementation( FieldValue userID, string userName, string password, string email, string comment, string passwordQuestion, string passwordAnswer, bool isApproved, DateTime? lastActivityDate, DateTime? lastLoginDate, DateTime? lastPasswordChangedDate, DateTime? creationDate, bool? isLockedOut, DateTime? lastLockedOutDate, int? failedPasswordAttemptCount, DateTime? failedPasswordAttemptWindowStart, int? failedPasswordAnswerAttemptCount, DateTime? failedPasswordAnswerAttemptWindowStart, string roles, string confirmPassword, int? roleID) { // prevent execution of CRUD operations by the application framework PreventDefault(); // ensure that "Password" and "ConfirmPassword" match if (password != confirmPassword) throw new Exception(Localize("PasswordAndConfirmationDoNotMatch", "Password and confirmation do not match")); // create a user with the Membership API MembershipCreateStatus status; MembershipUser newUser = Membership.CreateUser(userName, password, email, passwordQuestion, passwordAnswer, isApproved, out status); // analyze and report any errors if (status != MembershipCreateStatus.Success) { string error = null; switch (status) { case MembershipCreateStatus.DuplicateEmail: error = "Duplicate email address."; break; case MembershipCreateStatus.DuplicateProviderUserKey: error = "Duplicate provider key"; break; case MembershipCreateStatus.DuplicateUserName: error = "Duplicate user name."; break; case MembershipCreateStatus.InvalidAnswer: error = "Invalid password recovery answer."; break; case MembershipCreateStatus.InvalidEmail: error = "Invalid email address."; break; case MembershipCreateStatus.InvalidPassword: error = string.Format("Invalid password. Requires at least {0} " + "characters and {1} non-alphanumeric characters.", Membership.Provider.MinRequiredPasswordLength, Membership.Provider.MinRequiredNonAlphanumericCharacters); break; case MembershipCreateStatus.InvalidProviderUserKey: error = "Invalid provider user key."; break; case MembershipCreateStatus.InvalidQuestion: error = "Invalid password recovery question."; break; case MembershipCreateStatus.InvalidUserName: error = "Invalid user name."; break; case MembershipCreateStatus.ProviderError: error = "Provider error."; break; case MembershipCreateStatus.UserRejected: error = "User has been rejected."; break; } throw new Exception(error); } // assign "Comment" to the new user if (!(String.IsNullOrEmpty(comment))) { newUser.Comment = comment; Membership.UpdateUser(newUser); } // assign "Roles" to the new user if (!(String.IsNullOrEmpty(roles))) { string[] newRoles = Convert.ToString(roles).Split(','); foreach (string role in newRoles) if (!(String.IsNullOrEmpty(role))) System.Web.Security.Roles.AddUserToRole( userName, role); } } } }
Visual Basic:
Imports MyCompany.Data Imports System Imports System.Collections.Generic Imports System.Data Imports System.Linq Imports System.Text.RegularExpressions Imports System.Web Imports System.Web.Security Namespace MyCompany.Rules Partial Public Class UsersBusinessRules Inherits MyCompany.Data.BusinessRules ''' <summary> ''' This method will execute in any view before an action ''' with a command name that matches "Insert". ''' </summary> <Rule("r101")> _ Public Sub r101Implementation( _ ByVal userID As FieldValue, _ ByVal userName As String, _ ByVal password As String, _ ByVal email As String, _ ByVal comment As String, _ ByVal passwordQuestion As String, _ ByVal passwordAnswer As String, _ ByVal isApproved As Nullable(Of Boolean), ByVal isLockedOut As Nullable(Of Boolean), _ ByVal roles As String, _ ByVal confirmPassword As String) ' prevent execution of CRUD operations by the application framework PreventDefault() ' ensure that "Password" and "ConfirmPassword" match If (password <> confirmPassword) Then Throw New Exception(Localize("PasswordAndConfirmationDoNotMatch", "Password and confirmation do not match")) End If Dim status As MembershipCreateStatus ' create a user with the Membership API Dim newUser As MembershipUser = Membership.CreateUser(userName, password, email, passwordQuestion, passwordAnswer, isApproved, status) ' analyze and report any errors If (status <> MembershipCreateStatus.Success) Then Dim [error] As String = "" Select Case status Case MembershipCreateStatus.DuplicateEmail [error] = "Duplicate email address." Case MembershipCreateStatus.DuplicateProviderUserKey [error] = "Duplicate provider key" Case MembershipCreateStatus.DuplicateUserName [error] = "Duplicate user name." Case MembershipCreateStatus.InvalidAnswer [error] = "Invalid password recovery answer." Case MembershipCreateStatus.InvalidEmail [error] = "Invalid email address." Case MembershipCreateStatus.InvalidPassword [error] = String.Format("Invalid password. Requires at least {0} " + "characters and {1} non-alphanumeric characters.", Membership.Provider.MinRequiredPasswordLength, Membership.Provider.MinRequiredNonAlphanumericCharacters) Case MembershipCreateStatus.InvalidProviderUserKey [error] = "Invalid provider user key." Case MembershipCreateStatus.InvalidQuestion [error] = "Invalid password recovery question." Case MembershipCreateStatus.InvalidUserName [error] = "Invalid user name." Case MembershipCreateStatus.ProviderError [error] = "Provider error." Case MembershipCreateStatus.UserRejected [error] = "User has been rejected." End Select Throw New Exception([error]) End If ' assign "Comment" to the new user If (Not (String.IsNullOrEmpty(comment))) Then newUser.Comment = comment Membership.UpdateUser(newUser) End If ' assign "Roles" to the new user If (Not String.IsNullOrEmpty(roles)) Then Dim newRoles() As String = Convert.ToString(roles).Split(",") For Each role As String In newRoles If (Not String.IsNullOrEmpty(role)) Then System.Web.Security.Roles.AddUserToRole(userName, role) End If Next End If End Sub End Class End Namespace
Save the file.
Update
Create another business rule with the following properties:
| Property | Value |
| Type | C# / Visual Basic |
| Command Name | Update |
| Phase | Before |
Save the business rule, and generate the web app. Edit the rule in Visual Studio. You may need to press Refresh in the Solution Explorer toolbar of Visual Studio for the rule to appear.
Replace the code base with the following.
C#:
using System; using System.Web.Security; using MyCompany.Data; using MyCompany.Security; namespace MyCompany.Rules { public partial class UsersBusinessRules : MyCompany.Data.BusinessRules { /// <summary> /// This method will execute in any view before an action /// with a command name that matches "Update". /// </summary> [Rule("r102")] public void r102Implementation( FieldValue userID, string userName, FieldValue password, FieldValue email, FieldValue comment, FieldValue passwordQuestion, FieldValue passwordAnswer, FieldValue isApproved, DateTime? lastActivityDate, DateTime? lastLoginDate, DateTime? lastPasswordChangedDate, DateTime? creationDate, FieldValue isLockedOut, DateTime? lastLockedOutDate, int? failedPasswordAttemptCount, DateTime? failedPasswordAttemptWindowStart, int? failedPasswordAnswerAttemptCount, DateTime? failedPasswordAnswerAttemptWindowStart, FieldValue roles) { // prevent execution of CRUD operations by the application framework PreventDefault(); // get user object by name MembershipUser user = Membership.GetUser(userName); if (user != null) { // update "Email" if changed if (email.Modified) { user.Email = Convert.ToString(email.Value); Membership.UpdateUser(user); } // update "Is Approved" if changed if (isApproved.Modified) { user.IsApproved = Convert.ToBoolean(isApproved.Value); Membership.UpdateUser(user); } // unlock user account if necessary if (isLockedOut.Modified) { if (Convert.ToBoolean(isLockedOut.Value)) { Result.Focus("IsLockedOut", Localize("UserCannotBeLockedOut", "User cannot be locked out. If you want to prevent this " + "user from being able to login then simply mark user as" + " \'Not Approved\'.")); throw new Exception(Localize("ErrorSavingUser", "Error saving user account.")); } user.UnlockUser(); } // update "Comment" if changed if (comment.Modified) { user.Comment = Convert.ToString(comment.Value); Membership.UpdateUser(user); } // update "Roles" if changed if (roles.Modified) { string[] newRoles = Convert.ToString(roles.Value).Split(','); string[] oldRoles = System.Web.Security.Roles.GetRolesForUser( user.UserName); foreach (string role in oldRoles) if (!(String.IsNullOrEmpty(role)) && (Array.IndexOf( newRoles, role) == -1)) System.Web.Security.Roles.RemoveUserFromRole( user.UserName, role); foreach (string role in newRoles) if (!(String.IsNullOrEmpty(role)) && (Array.IndexOf(oldRoles, role) == -1)) System.Web.Security.Roles.AddUserToRole( user.UserName, role); } } } } }
Visual Basic:
Imports MyCompany.Data Imports System Imports System.Web.Security Namespace MyCompany.Rules Partial Public Class UsersBusinessRules Inherits MyCompany.Data.BusinessRules ''' <summary> ''' This method will execute in any view before an action ''' with a command name that matches "Update". ''' </summary> <Rule("r102")> _ Public Sub r102Implementation( _ ByVal userID As FieldValue, _ ByVal userName As String, _ ByVal password As FieldValue, _ ByVal email As FieldValue, _ ByVal comment As FieldValue, _ ByVal passwordQuestion As FieldValue, _ ByVal passwordAnswer As FieldValue, _ ByVal isApproved As FieldValue, _ ByVal lastActivityDate As Nullable(Of DateTime), _ ByVal lastLoginDate As Nullable(Of DateTime), _ ByVal lastPasswordChangedDate As Nullable(Of DateTime), _ ByVal creationDate As Nullable(Of DateTime), _ ByVal isLockedOut As FieldValue, _ ByVal lastLockedOutDate As Nullable(Of DateTime), _ ByVal failedPasswordAttemptCount As Nullable(Of Integer), _ ByVal failedPasswordAttemptWindowStart As Nullable(Of DateTime), _ ByVal failedPasswordAnswerAttemptCount As Nullable(Of Integer), _ ByVal failedPasswordAnswerAttemptWindowStart As Nullable(Of DateTime), _ ByVal roles As FieldValue, _ ByVal confirmPassword As String, _ ByVal roleID As Nullable(Of Integer)) ' prevent execution of CRUD operations by the application framework PreventDefault() ' get user object by name Dim user As MembershipUser = Membership.GetUser(userName) If Not (user Is Nothing) Then ' update "Email" if changed If email.Modified Then user.Email = Convert.ToString(email.Value) Membership.UpdateUser(user) End If ' update "Is Approved" if changed If isApproved.Modified Then user.IsApproved = Convert.ToBoolean(isApproved.Value) Membership.UpdateUser(user) End If ' unlock user account if necessary If isLockedOut.Modified Then If (Convert.ToBoolean(isLockedOut.Value)) Then Result.Focus("IsLockedOut", Localize("UserCannotBeLockedOut", "User cannot be locked out. If you want to prevent this " + "user from being able to login then simply mark user as " + "'Not Approved'.")) Throw New Exception(Localize("ErrorSavingUser", "Error saving user account.")) End If user.UnlockUser() End If ' update "Comment" if changed If comment.Modified Then user.Comment = Convert.ToString(comment.Value) Membership.UpdateUser(user) End If ' update "Roles" if changed If roles.Modified Then Dim newRoles() As String = Convert.ToString(roles.Value).Split(",") Dim oldRoles() As String = System.Web.Security.Roles.GetRolesForUser( user.UserName) For Each role As String In oldRoles If Not (String.IsNullOrEmpty(role) And (Array.IndexOf( newRoles, role) = -1)) Then System.Web.Security.Roles.RemoveUserFromRole(user.UserName, role) End If Next For Each role As String In newRoles If Not (String.IsNullOrEmpty(role) And (Array.IndexOf( oldRoles, role) = -1)) Then System.Web.Security.Roles.AddUserToRole(user.UserName, role) End If Next End If End If End Sub End Class End Namespace
Save the file.
Delete
Create another business rule:
| Property | Value |
| Type | C# / Visual Basic |
| Command Name | Delete |
| Phase | Before |
Save, regenerate the web app, and open the business rule file in Visual Studio. Replace the code:
C#:
using System; using System.Data; using System.Collections.Generic; using System.Linq; using System.Text.RegularExpressions; using System.Web; using System.Web.Security; using MyCompany.Data; using MyCompany.Security; namespace MyCompany.Rules { public partial class UsersBusinessRules : MyCompany.Data.BusinessRules { /// <summary> /// This method will execute in any view before an action /// with a command name that matches "Delete". /// </summary> [Rule("r103")] public void r103Implementation( FieldValue userID, string userName, string password, string email, string comment, string passwordQuestion, string passwordAnswer, bool? isApproved, DateTime? lastActivityDate, DateTime? lastLoginDate, DateTime? lastPasswordChangedDate, DateTime? creationDate, bool? isLockedOut, DateTime? lastLockedOutDate, int? failedPasswordAttemptCount, DateTime? failedPasswordAttemptWindowStart, int? failedPasswordAnswerAttemptCount, DateTime? failedPasswordAnswerAttemptWindowStart) { // prevent execution of CRUD operations by the application framework PreventDefault(); // delete the user account MembershipUser user = Membership.GetUser(userName); Membership.DeleteUser(user.UserName); // instruct the client library to display the previous view Result.ShowLastView(); // instruct the client library to show a confirmation message Result.ShowMessage(String.Format(Localize("UserHasBeenDeleted", "User \'{0}\' has been deleted."), user.UserName)); } } }
Visual Basic:
Imports MyCompany.Data Imports System Imports System.Collections.Generic Imports System.Data Imports System.Linq Imports System.Text.RegularExpressions Imports System.Web Imports System.Web.Security Namespace MyCompany.Rules Partial Public Class UsersBusinessRules Inherits MyCompany.Data.BusinessRules ''' <summary> ''' This method will execute in any view before an action ''' with a command name that matches "Delete". ''' </summary> <Rule("r103")> _ Public Sub r103Implementation( _ ByVal userID As FieldValue, _ ByVal userName As String, _ ByVal password As String, _ ByVal email As String, _ ByVal comment As String, _ ByVal passwordQuestion As String, _ ByVal passwordAnswer As String, _ ByVal isApproved As Nullable(Of Boolean), _ ByVal lastActivityDate As Nullable(Of DateTime), _ ByVal lastLoginDate As Nullable(Of DateTime), _ ByVal lastPasswordChangedDate As Nullable(Of DateTime), _ ByVal creationDate As Nullable(Of DateTime), _ ByVal isLockedOut As Nullable(Of Boolean), _ ByVal lastLockedOutDate As Nullable(Of DateTime), _ ByVal failedPasswordAttemptCount As Nullable(Of Integer), _ ByVal failedPasswordAttemptWindowStart As Nullable(Of DateTime), _ ByVal failedPasswordAnswerAttemptCount As Nullable(Of Integer), _ ByVal failedPasswordAnswerAttemptWindowStart As Nullable(Of DateTime), _ ByVal roles As String, _ ByVal confirmPassword As String, _ ByVal roleID As Nullable(Of Integer)) ' prevent execution of CRUD operations by the application framework PreventDefault() ' delete the user account Dim user As MembershipUser = Membership.GetUser(userName) Membership.DeleteUser(user.UserName) ' instruct the client library to display the previous view Result.ShowLastView() ' instruct the client library to show a confirmation message Result.ShowMessage(String.Format(Localize("UserHasBeenDeleted", "User {0} has been deleted."), user.UserName)) End Sub End Class End Namespace
Save the code.