By chatura


2012-11-08 07:52:04 8 Comments

I'm using a custom authorize attribute to authorize users' access based on their permission levels. I need to redirect unauthorized users (eg. user tries to delete an invoice without Delete acess level) to access denied page.

The custom attribute is working. But in a case of unauthorized user access, nothing shown in the browser.

Contoller Code.

public class InvoiceController : Controller
{
    [AuthorizeUser(AccessLevel = "Create")]
    public ActionResult CreateNewInvoice()
    {
        //...

        return View();
    }

    [AuthorizeUser(AccessLevel = "Delete")]
    public ActionResult DeleteInvoice(...)
    {
        //...

        return View();
    }

    // more codes/ methods etc.
}

Custom Attribute class code.

public class AuthorizeUserAttribute : AuthorizeAttribute
{
    // Custom property
    public string AccessLevel { get; set; }

    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        var isAuthorized = base.AuthorizeCore(httpContext);
        if (!isAuthorized)
        {                
            return false;
        }

        string privilegeLevels = string.Join("", GetUserRights(httpContext.User.Identity.Name.ToString())); // Call another method to get rights of the user from DB

        if (privilegeLevels.Contains(this.AccessLevel))
        {
            return true;
        }
        else
        {
            return false;
        }            
    }
}

Appreciate if you can share your experience on this.

1 comments

@VJAI 2012-11-08 15:40:50

You have to override the HandleUnauthorizedRequest as specified here.

public class CustomAuthorize: AuthorizeAttribute
{
    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
    {
        if(!filterContext.HttpContext.User.Identity.IsAuthenticated)
        {
            base.HandleUnauthorizedRequest(filterContext);
        }
        else
        {
            filterContext.Result = new RedirectToRouteResult(new
            RouteValueDictionary(new{ controller = "Error", action = "AccessDenied" }));
        }
    }
}

**Note: updated conditional statement Jan '16

@meataxe 2013-03-13 00:42:11

Possible duplicate. See Ben Cull's answer here, which addresses thread safety that this answer doesn't.

@phandinhlan 2014-11-12 23:04:13

Also, should it be: if ( false == filterContext.HttpContext.User.Identity.IsAuthenticated)

@phandinhlan 2014-11-12 23:23:52

If the redirected destination action takes a parameter, how would you pass that to the function? For example: AcessDenied( string PermissionNeeded )

Related Questions

Sponsored Content

5 Answered Questions

4 Answered Questions

2 Answered Questions

11 Answered Questions

[SOLVED] How to make custom error pages work in ASP.NET MVC 4

1 Answered Questions

[SOLVED] Using more than one Custom Authorize Attribute

3 Answered Questions

1 Answered Questions

1 Answered Questions

[SOLVED] Custom Authorization Attribute Not Working

  • 2013-04-24 05:01:54
  • user1618825
  • 1348 View
  • 0 Score
  • 1 Answer
  • Tags:   asp.net-mvc-4

2 Answered Questions

[SOLVED] Using custom authorization in MVC 4

3 Answered Questions

[SOLVED] ASP.NET MVC Roles Authorization

Sponsored Content