From 9da2b60db1666492099ad52b788cf0d467aee8e4 Mon Sep 17 00:00:00 2001
From: Argo-Lenovo <Argo@163.com>
Date: Sun, 23 Oct 2016 15:46:18 +0800
Subject: [PATCH] =?UTF-8?q?=E5=A2=9E=E5=8A=A0=E7=94=A8=E6=88=B7=E7=99=BB?=
 =?UTF-8?q?=E9=99=86=E5=88=A4=E6=96=AD=EF=BC=8C=E6=9B=B4=E6=96=B0=E7=94=A8?=
 =?UTF-8?q?=E6=88=B7=E4=BF=9D=E5=AD=98=E5=AF=86=E7=A0=81=E5=8A=9F=E8=83=BD?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 Bootstrap.Admin/Bootstrap.Admin.csproj        |  1 +
 Bootstrap.Admin/Content/js/Longbow.Common.js  |  2 +-
 Bootstrap.Admin/Controllers/HomeController.cs | 15 +++--
 Bootstrap.Admin/Models/LoginModel.cs          | 22 +++++++
 Bootstrap.Admin/Scripts/Login.js              | 12 ++++
 Bootstrap.Admin/Views/Admin/Users.cshtml      |  6 +-
 Bootstrap.Admin/Views/Home/Login.cshtml       | 61 ++++++++++---------
 Bootstrap.Admin/Views/web.config              |  1 +
 Bootstrap.Admin/Web.config                    |  1 +
 Bootstrap.DataAccess/UserHelper.cs            | 47 +++++++++++++-
 10 files changed, 128 insertions(+), 40 deletions(-)
 create mode 100644 Bootstrap.Admin/Models/LoginModel.cs

diff --git a/Bootstrap.Admin/Bootstrap.Admin.csproj b/Bootstrap.Admin/Bootstrap.Admin.csproj
index 68d04223..7228aabf 100644
--- a/Bootstrap.Admin/Bootstrap.Admin.csproj
+++ b/Bootstrap.Admin/Bootstrap.Admin.csproj
@@ -179,6 +179,7 @@
       <DependentUpon>Global.asax</DependentUpon>
     </Compile>
     <Compile Include="Models\HeaderBarModel.cs" />
+    <Compile Include="Models\LoginModel.cs" />
     <Compile Include="Models\ModelBase.cs" />
     <Compile Include="Models\NavigatorBarModel.cs" />
     <Compile Include="Models\PaginationOption.cs" />
diff --git a/Bootstrap.Admin/Content/js/Longbow.Common.js b/Bootstrap.Admin/Content/js/Longbow.Common.js
index cbd4c014..f3b3f04f 100644
--- a/Bootstrap.Admin/Content/js/Longbow.Common.js
+++ b/Bootstrap.Admin/Content/js/Longbow.Common.js
@@ -96,7 +96,7 @@
     $.fn.extend({
         autoValidate: function (options) {
             // validate
-            $("#dataForm").validate({
+            $(this).validate({
                 ignore: "ignore",
                 rules: $.extend({}, options),
                 unhighlight: function (element, errorClass, validClass) {
diff --git a/Bootstrap.Admin/Controllers/HomeController.cs b/Bootstrap.Admin/Controllers/HomeController.cs
index 3d46d086..db1e6cc8 100644
--- a/Bootstrap.Admin/Controllers/HomeController.cs
+++ b/Bootstrap.Admin/Controllers/HomeController.cs
@@ -1,4 +1,6 @@
 using Bootstrap.Admin.Models;
+using Bootstrap.DataAccess;
+using Longbow.Security.Principal;
 using System.Web.Mvc;
 using System.Web.Security;
 
@@ -22,18 +24,21 @@ namespace Bootstrap.Admin.Controllers
         /// <summary>
         /// 
         /// </summary>
-        /// <param name="username"></param>
+        /// <param name="userName"></param>
         /// <param name="password"></param>
         /// <param name="remember"></param>
         /// <returns></returns>
         [AllowAnonymous]
-        public ActionResult Login(string username, string password, string remember)
+        public ActionResult Login(string userName, string password, string remember)
         {
-            if (username == "Argo")
+            //UNDONE: 本方法有严重安全漏洞，发布前需要修正
+            var model = new LoginModel();
+            model.UserName = userName;
+            if (LgbPrincipal.IsAdmin(userName) || UserHelper.Authenticate(userName, password))
             {
-                FormsAuthentication.RedirectFromLoginPage(username, false);
+                FormsAuthentication.RedirectFromLoginPage(userName, false);
             }
-            return View();
+            return View(model);
         }
         /// <summary>
         /// 
diff --git a/Bootstrap.Admin/Models/LoginModel.cs b/Bootstrap.Admin/Models/LoginModel.cs
new file mode 100644
index 00000000..09fa588d
--- /dev/null
+++ b/Bootstrap.Admin/Models/LoginModel.cs
@@ -0,0 +1,22 @@
+namespace Bootstrap.Admin.Models
+{
+    /// <summary>
+    /// 
+    /// </summary>
+    public class LoginModel
+    {
+        public LoginModel()
+        {
+            UserName = "Argo";
+            Password = "1111";
+        }
+        /// <summary>
+        /// 
+        /// </summary>
+        public string UserName { get; set; }
+        /// <summary>
+        /// 
+        /// </summary>
+        public string Password { get; set; }
+    }
+}
\ No newline at end of file
diff --git a/Bootstrap.Admin/Scripts/Login.js b/Bootstrap.Admin/Scripts/Login.js
index 82b492be..70b3dd70 100644
--- a/Bootstrap.Admin/Scripts/Login.js
+++ b/Bootstrap.Admin/Scripts/Login.js
@@ -1,3 +1,15 @@
 $(function () {
     $(".container").autoCenter();
+
+    // validate
+    $('#login').autoValidate({
+        userName: {
+            required: true,
+            maxlength: 50
+        },
+        password: {
+            required: true,
+            maxlength: 50
+        }
+    });
 })
\ No newline at end of file
diff --git a/Bootstrap.Admin/Views/Admin/Users.cshtml b/Bootstrap.Admin/Views/Admin/Users.cshtml
index 2e9737b7..964cc8e6 100644
--- a/Bootstrap.Admin/Views/Admin/Users.cshtml
+++ b/Bootstrap.Admin/Views/Admin/Users.cshtml
@@ -1,4 +1,4 @@
-@model Bootstrap.Admin.Models.NavigatorBarModel
+@model NavigatorBarModel
 @{
     ViewBag.Title = "用户管理";
     Layout = "~/Views/Shared/_Default.cshtml";
@@ -45,11 +45,11 @@
                 <div class="form-group">
                     <label class="control-label col-sm-2" for="password">登录密码</label>
                     <div class="col-sm-4">
-                        <input type="text" class="form-control" id="password" name="password" maxlength="15" />
+                        <input type="password" class="form-control" id="password" name="password" maxlength="15" />
                     </div>
                     <label class="control-label col-sm-2" for="confirm">确认密码</label>
                     <div class="col-sm-4">
-                        <input type="text" class="form-control" id="confirm" name="confirm" maxlength="5" />
+                        <input type="password" class="form-control" id="confirm" name="confirm" maxlength="15" />
                     </div>
                 </div>
             </form>
diff --git a/Bootstrap.Admin/Views/Home/Login.cshtml b/Bootstrap.Admin/Views/Home/Login.cshtml
index 969907c5..37d69252 100644
--- a/Bootstrap.Admin/Views/Home/Login.cshtml
+++ b/Bootstrap.Admin/Views/Home/Login.cshtml
@@ -1,29 +1,32 @@
-@{
-    ViewBag.Title = "系统登陆";
-    Layout = "~/Views/Shared/_Layout.cshtml";
-}
-@section css {
-    <link href="~/Content/css/site.css" rel="stylesheet" />
-}
-@section javascript {
-    <script src="~/Scripts/Login.js"></script>
-}
-<div class="container">
-    <form class="form-signin" method="post">
-        <h2 class="form-signin-heading">欢迎登陆本系统</h2>
-        <div class="login-wrap">
-            <div class="input-group">
-                <span class="glyphicon glyphicon-user input-group-addon"></span>
-                <input type="text" name="username" class="form-control" placeholder="用户名" value="Argo" autofocus />
-            </div>
-            <div class="input-group">
-                <span class="glyphicon glyphicon-lock input-group-addon"></span>
-                <input type="password" name="password" class="form-control" value="1234" placeholder="密码" />
-            </div>
-            <div class="checkbox">
-                <input id="remember" name="remember" type="checkbox" value="true" /><label for="remember">记住我</label>
-            </div>
-            <button class="btn btn-lg btn-login btn-block" type="submit">登 陆</button>
-        </div>
-    </form>
-</div>
+@model LoginModel
+@{
+    ViewBag.Title = "系统登陆";
+    Layout = "~/Views/Shared/_Layout.cshtml";
+}
+@section css {
+    <link href="~/Content/css/site.css" rel="stylesheet" />
+}
+@section javascript {
+    <script src="~/content/js/jquery.validate.js"></script>
+    <script src="~/content/js/messages_zh.js"></script>
+    <script src="~/Scripts/Login.js"></script>
+}
+<div class="container">
+    <form id="login" class="form-signin" method="post">
+        <h2 class="form-signin-heading">欢迎登陆本系统</h2>
+        <div class="login-wrap">
+            <div class="input-group">
+                <span class="glyphicon glyphicon-user input-group-addon"></span>
+                <input type="text" name="userName" class="form-control" placeholder="用户名" value="@Model.UserName" autofocus />
+            </div>
+            <div class="input-group">
+                <span class="glyphicon glyphicon-lock input-group-addon"></span>
+                <input type="password" name="password" class="form-control" value="@Model.Password" placeholder="密码" />
+            </div>
+            <div class="checkbox">
+                <input id="remember" name="remember" type="checkbox" value="true" /><label for="remember">记住我</label>
+            </div>
+            <button class="btn btn-lg btn-login btn-block" type="submit">登 陆</button>
+        </div>
+    </form>
+</div>
diff --git a/Bootstrap.Admin/Views/web.config b/Bootstrap.Admin/Views/web.config
index c592950c..93645133 100644
--- a/Bootstrap.Admin/Views/web.config
+++ b/Bootstrap.Admin/Views/web.config
@@ -18,6 +18,7 @@
         <add namespace="System.Web.Routing" />
         <add namespace="Bootstrap.Admin" />
         <add namespace="Bootstrap.DataAccess" />
+        <add namespace="Bootstrap.Admin.Models" />
       </namespaces>
     </pages>
   </system.web.webPages.razor>
diff --git a/Bootstrap.Admin/Web.config b/Bootstrap.Admin/Web.config
index ac66f347..317d2174 100644
--- a/Bootstrap.Admin/Web.config
+++ b/Bootstrap.Admin/Web.config
@@ -15,6 +15,7 @@
     <add key="PreserveLoginUrl" value="true"/>
     <add key="ClientValidationEnabled" value="true"/>
     <add key="UnobtrusiveJavaScriptEnabled" value="true"/>
+    <add key="Admins" value="Argo"/>
   </appSettings>
 
   <connectionStrings>
diff --git a/Bootstrap.DataAccess/UserHelper.cs b/Bootstrap.DataAccess/UserHelper.cs
index 0ebbd348..50a64c58 100644
--- a/Bootstrap.DataAccess/UserHelper.cs
+++ b/Bootstrap.DataAccess/UserHelper.cs
@@ -1,6 +1,7 @@
 using Longbow.Caching;
 using Longbow.Caching.Configuration;
 using Longbow.ExceptionManagement;
+using Longbow.Security;
 using System;
 using System.Collections.Generic;
 using System.Data;
@@ -16,7 +17,6 @@ namespace Bootstrap.DataAccess
     public static class UserHelper
     {
         private const string UserDataKey = "UserData-CodeUserHelper";
-
         /// <summary>
         /// 查询所有用户
         /// </summary>
@@ -49,6 +49,36 @@ namespace Bootstrap.DataAccess
             return string.IsNullOrEmpty(tId) ? ret : ret.Where(t => tId.Equals(t.ID.ToString(), StringComparison.OrdinalIgnoreCase));
         }
         /// <summary>
+        /// 
+        /// </summary>
+        /// <param name="userName"></param>
+        /// <returns></returns>
+        private static User RetrieveUsersByName(string userName)
+        {
+            User user = null;
+            string sql = "select ID, UserName, [Password], PassSalt from Users where UserName = @UserName";
+            DbCommand cmd = DBAccessManager.SqlDBAccess.CreateCommand(CommandType.Text, sql);
+            try
+            {
+                cmd.Parameters.Add(DBAccessManager.SqlDBAccess.CreateParameter("@UserName", userName, ParameterDirection.Input));
+                using (DbDataReader reader = DBAccessManager.SqlDBAccess.ExecuteReader(cmd))
+                {
+                    if (reader.Read())
+                    {
+                        user = new User()
+                        {
+                            ID = (int)reader[0],
+                            UserName = (string)reader[1],
+                            Password = (string)reader[2],
+                            PassSalt = (string)reader[3]
+                        };
+                    }
+                }
+            }
+            catch (Exception ex) { ExceptionManager.Publish(ex); }
+            return user;
+        }
+        /// <summary>
         /// 删除用户
         /// </summary>
         /// <param name="ids"></param>
@@ -84,6 +114,8 @@ namespace Bootstrap.DataAccess
             bool ret = false;
             if (p.UserName.Length > 50) p.UserName.Substring(0, 50);
             if (p.Password.Length > 50) p.Password.Substring(0, 50);
+            p.PassSalt = LgbCryptography.GenerateSalt();
+            p.Password = LgbCryptography.ComputeHash(p.Password, p.PassSalt);
             string sql = p.ID == 0 ?
                 "Insert Into Users (UserName, Password, PassSalt) Values (@UserName, @Password, @PassSalt)" :
                 "Update Users set UserName = @UserName, Password = @Password, PassSalt = @PassSalt where ID = @ID";
@@ -94,7 +126,7 @@ namespace Bootstrap.DataAccess
                     cmd.Parameters.Add(DBAccessManager.SqlDBAccess.CreateParameter("@ID", p.ID, ParameterDirection.Input));
                     cmd.Parameters.Add(DBAccessManager.SqlDBAccess.CreateParameter("@UserName", p.UserName, ParameterDirection.Input));
                     cmd.Parameters.Add(DBAccessManager.SqlDBAccess.CreateParameter("@Password", p.Password, ParameterDirection.Input));
-                    cmd.Parameters.Add(DBAccessManager.SqlDBAccess.CreateParameter("@PassSalt", DBNull.Value, ParameterDirection.Input));
+                    cmd.Parameters.Add(DBAccessManager.SqlDBAccess.CreateParameter("@PassSalt", p.PassSalt, ParameterDirection.Input));
                     DBAccessManager.SqlDBAccess.ExecuteNonQuery(cmd);
                 }
                 ret = true;
@@ -106,6 +138,17 @@ namespace Bootstrap.DataAccess
             }
             return ret;
         }
+        /// <summary>
+        /// 验证用户登陆账号与密码正确
+        /// </summary>
+        /// <param name="userName"></param>
+        /// <param name="password"></param>
+        /// <returns></returns>
+        public static bool Authenticate(string userName, string password)
+        {
+            var user = RetrieveUsersByName(userName);
+            return user != null && user.Password == LgbCryptography.ComputeHash(password, user.PassSalt);
+        }
         // 更新缓存
         private static void ClearCache()
         {