Menu
I'm using a custom authorize attribute to authorize users' access based on their permission levels. I need to redirect unauthorized users (eg. user tries to delete an invoice without Delete acess level) to access denied page.
The custom attribute is working. But in a case of unauthorized user access, nothing shown in the browser.
Contoller Code.
public class InvoiceController : Controller { [AuthorizeUser(AccessLevel = "Create")] public ActionResult CreateNewInvoice() { //... return View(); } [AuthorizeUser(AccessLevel = "Delete")] public ActionResult DeleteInvoice(...) { //... return View(); } // more codes/ methods etc. } Custom Attribute class code.
public class AuthorizeUserAttribute : AuthorizeAttribute { // Custom property public string AccessLevel { get; set; } protected override bool AuthorizeCore(HttpContextBase httpContext) { var isAuthorized = base.AuthorizeCore(httpContext); if (!isAuthorized) { return false; } string privilegeLevels = string.Join("", GetUserRights(httpContext.User.Identity.Name.ToString())); // Call another method to get rights of the user from DB if (privilegeLevels.Contains(this.AccessLevel)) { return true; } else { return false; } } } Appreciate if you can share your experience on this.
685
You have to override the HandleUnauthorizedRequest as specified here.
public class CustomAuthorize: AuthorizeAttribute { protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext) { if(!filterContext.HttpContext.User.Identity.IsAuthenticated) { base.HandleUnauthorizedRequest(filterContext); } else { filterContext.Result = new RedirectToRouteResult(new RouteValueDictionary(new{ controller = "Error", action = "AccessDenied" })); } } } **Note: updated conditional statement Jan '16
110
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
