1

after login user can go to any action but think when action is decorated with authorized attribute and role names are specific there. just refer a sample code.

public class HomeController : Controller
 {
     [Authorize(Roles = "Admin, HrAdmin")]
     public ActionResult PayRoll()
     {
         return View();
     }
 }

suppose user Foo has no role like Admin or HRAdmin then what will happen when user foo will try to access PayRoll action ?

in this kind of situation i want to redirect user to my error page where i will show a friendly message to user. please guide me how to do it ?

do i need to write a custom authorized attribute from there i need to check user has those roles are not and then redirect user from there?

Monojit Sarkar
  • 2,353
  • 8
  • 43
  • 94

1 Answers1

1

I don't know if that's the best way to do it, but here's how I did it:

using System.Web.Mvc;

namespace YourNamespace
{
    public class AccessDeniedAuthorizeAttribute : AuthorizeAttribute
    {
        public override void OnAuthorization(AuthorizationContext filterContext)
        {
            base.OnAuthorization(filterContext);

            // Redirect to the login page if necessary
            if (!filterContext.HttpContext.User.Identity.IsAuthenticated)
            {
                filterContext.Result = new RedirectResult(System.Web.Security.FormsAuthentication.LoginUrl + "?returnUrl=" + filterContext.HttpContext.Request.Url);
                return;
            }

            // Redirect to your "access denied" view here
            if (filterContext.Result is HttpUnauthorizedResult)
            {
                filterContext.Result = new RedirectResult("~/Account/Denied");
            }
        }
    }
}

Controller: 

public class HomeController : Controller
{
    [AccessDeniedAuthorize(Roles = "Admin, HrAdmin")]
    public ActionResult PayRoll()
    {
        return View();
    }
}

That's all you have to do if your User has its Roles defined correctly. If you are not using ASP.NET Identity to manage your users and roles, you will need some more code to make this work, in that case this might help you: How can I attach a custom membership provider in my ASP.NET MVC application?.

Community
  • 1
  • 1
Pierre-Loup Pagniez
  • 3,611
  • 3
  • 29
  • 29
  • give me full code like how to use it in my situation like if user has no role like admin or HRAdmin then i will redirect user to custom error page where i will show him a friendly message. – Monojit Sarkar Sep 21 '16 at 14:16
  • You need to use the attribute like so: `[AccessDeniedAuthorize(Roles = "Admin, HrAdmin")]`. It works exactly the same way than the Authorize attribute. – Pierre-Loup Pagniez Sep 21 '16 at 14:18
  • how to check user has Admin, HrAdmin role or any one of them or not just fetch user role from db? can u plzz add few more code to make the full blown sample. thanks – Monojit Sarkar Sep 21 '16 at 14:23
  • You don't need to do anything else than adding the attribute to your method like you wrote in your question. I will edit my answer to show you. – Pierre-Loup Pagniez Sep 21 '16 at 14:25
  • you are not checking user has role called admin or hradmin from `OnAuthorization` function which is required. so update your code accordingly. – Monojit Sarkar Sep 21 '16 at 14:33
  • 1
    Are you using ASP.NET Identity? If you are using it, you do NOT need to get your roles from your database, they are already populated in your User object and they will be automatically compared to what you put in `Roles = "Admin, HrAdmin, [...]"`. – Pierre-Loup Pagniez Sep 21 '16 at 14:34
  • yes i am using ASP.NET Identity. can u plzz give me link which show me how roles are attached to user object automatically after login. thanks – Monojit Sarkar Sep 21 '16 at 20:37
  • See this: http://stackoverflow.com/questions/28410748/asp-net-identity-role-based-claims. – Pierre-Loup Pagniez Sep 22 '16 at 08:12