1

I'm working on a Asp.Net MVC 5 project with its own Individual User Account template. I set roles for users. I authorized only specific roles for specific action methods. But the problem is, even when I'm logged in, with a role that doesn't have access permission to a specific action method (example the delete method), it navigates me to the login page. So I can login with an other user while I'm already logged in, and this doesn't make sense. Why does it handle authorization filters this way?!

So how to make it instead of navigating to the login page to give an custom error, to show an access denied view?

I'm trying to solve this from the answers from similar questions, but they don't get me anywhere!

Arianit
  • 543
  • 2
  • 8
  • 24
  • Don't know if you've seen this [answer](http://stackoverflow.com/a/977112/829997) but it helped me. [This](http://dotnetdevdude.com/Blog/2011/11/21/ASPNETMVCRedirectToCustomPageWhenUserIsNotAuthorized.aspx) was another helpful one – Lee Harris Aug 04 '16 at 15:21
  • this one I didn't find. I'm checking the answer and the other link – Arianit Aug 04 '16 at 16:02
  • @LeeHarris when I try to follow the link I get an other problem, a runtime error: `Server Error in '/' Application.` `Description: An exception occurred while processing your request. Additionally, another exception occurred while executing the custom error page for the first exception. The request has been terminated.` and the url path is like this: Shared/Error?aspxerrorpath=/Reports/delete/1 Can you help me? – Arianit Aug 04 '16 at 16:28
  • I just confirmed that I can access both. Here are the URL's http://dotnetdevdude.com/Blog/2011/11/21/ASPNETMVCRedirectToCustomPageWhenUserIsNotAuthorized.aspx and http://stackoverflow.com/questions/977071/redirecting-unauthorized-controller-in-asp-net-mvc/977112#977112 please try again – Lee Harris Aug 04 '16 at 16:58
  • Ok here how it is. When I want to edit something, I have to navigate to a view. So I fixed it to navigate me somewhere else instead when I have no permission. But for delete I use a modal, and for that just a post delete method. And so I get the same error as mentioned before. The status code is 500 @LeeHarris – Arianit Aug 04 '16 at 17:07
  • Ok, got it why this error occurres, has nothing to do with what we were talking about... thanks for pointing me to those links – Arianit Aug 04 '16 at 17:33
  • does that answer cover the delete model issue? If you put your delete button in that call it wont show up for users that are not in the correct role. – Lee Harris Aug 04 '16 at 20:15
  • well, I made the button hidden for unauthorized users. but when I was trying to delete it from the link bar I got an invalid server error. I must make a more user friendly error for 500 status code – Arianit Aug 04 '16 at 20:18
  • 1
    An invalid server error (500) is a different issue from an unauthorized (403) error. I'd suggest opening a new question. – Lee Harris Aug 04 '16 at 20:40

1 Answers1

2

I would suggest something to modify the UI based on the level of security for the user. You could wrap your delete call in something like this:

@if (ViewContext.HttpContext.User.IsInRole("role name"))
{
    // Authorized
}
Lee Harris
  • 521
  • 4
  • 12