Authorize access to controllers depending on Locked property added to ApplicationUser

Question

I'm migrating an ASP.NET MVC 5 project to ASP.NET Core MVC (.NET 5). In the previous project I had a CustomAuthorizeAttribute that checks if a user is locked o not (the first else if (applicationUser.IsLocked) statement).

public class CustomAuthorizeAttribute: AuthorizeAttribute
{
    public override void OnAuthorization(AuthorizationContext filterContext)
    {
        ActionResult actionResult = filterContext.Result;
        int statusCode = filterContext.HttpContext.Response.StatusCode;
        ApplicationUser applicationUser = filterContext.HttpContext.User.ApplicationUser();

        if (applicationUser == null || string.IsNullOrEmpty(filterContext.HttpContext.User.Identity.GetUserName()))
        {
            base.OnAuthorization(filterContext);
        }
        else if (applicationUser.IsLocked)
        {
            filterContext.Result = new RedirectResult("~/home/unauthorized");
        }
        // If they are authorized, handle accordingly
        else if (this.AuthorizeCore(filterContext.HttpContext))
        {
            base.OnAuthorization(filterContext);
        }
        else
        {
            // Otherwise redirect to your specific authorized area
            filterContext.Result = new RedirectResult("~/home/unauthorized");
        }
    }
}

It seems that this approach is not supported in ASP.NET Core, so I would like to know if it is possible to achieve this behavior and how can I develop it.

Edit:

Has you can see in ASP.NET Core 5 there is no OnAuthorization() method to override.

Which part exactly do you think is not supported in core? Custom attributes are certainly supported, is it the applicationuser properties that are giving you trouble? — Ben Matthews, Sep 22 '21 at 14:54
The recommended approach is to define an authorization policy and annotate controllers/actions with `[Authorize("only_unlocked")]` — abdusco, Sep 22 '21 at 15:04
@BenMatthews I can't override ```OnAuthorization()``` method in ASP.NET Core. — Jon, Sep 22 '21 at 15:08
@Jon Not sure you need to. I think this answers your question and gives some great context: https://stackoverflow.com/a/41348219/1431405 — Ben Matthews, Sep 22 '21 at 15:30
Hi @Jon, you can inherits from `AuthorizeAttribute` and `IAuthorizationFilter` to implements your requirement. Remember that you should not set the `filterContext.Result` if the request is successfully authorize. Reference:https://stackoverflow.com/a/55113297/11398810 — Rena, Sep 23 '21 at 07:36
@Rena I edited the question, as you can see, there is no ```OnAuthorization(AuthorizationContext)``` to override in ASP.NET Core 5. — Jon, Sep 23 '21 at 11:55
Ok, there is no ```OnAuthorization(AuthorizationContext)``` in AuthorizeAttribute. Maybe using IAuthorizationFilter? — Jon, Sep 23 '21 at 12:06
Please read my suggestion carefully, I mean inherits from both AuthorizeAttribute and IAuthorizationFilter. — Rena, Sep 24 '21 at 01:15
@Rena Ok, I understood. But what should I do with ```base.OnAuthorization()``` and ```this.AuthorizeCore()``` code blocks, delete them? — Jon, Sep 24 '21 at 09:59
Hi @Jon, in asp.net core, just set `filterContext.Result` if the request failed, no need use `base.OnAuthorization()`. — Rena, Sep 27 '21 at 07:27

Authorize access to controllers depending on Locked property added to ApplicationUser

0 Answers0