0

I have an asp.net mvc3 application where each logged users may have access to some specific data.

For exemple, "user A" have acces to "Client 1" but not "Client 2", while "user B" have access to "Client 2" but not "Client 1".

If user a acces to http://myApp/Clients/2, we will throw a custom exception, say ConfidentialityException.

From that, we can trap it in global.asax Application_Error. But from that point, I wonder what would be the best practice :

  • Returning an error page with http 403 code (how ?)
  • Just returning an error page.
  • Let it crash.
  • other suggestion ?

My preffered solition is the first one (error page with 401), but I don't see how to set the http code from Application_Error.

Edit

I changed 401 status code to 403, since it's not an authentification error, but confidentiality. 403 seems more appropriate according to w3c.

Johnny5
  • 6,664
  • 3
  • 45
  • 78

1 Answers1

2

To set the status code you can use the following:

HttpContextBase.Response.StatusCode = 401;

However, if you're using MVC you can simply set the result to be an HttpUnauthorizedResult, which will set the http status code for you.

Rich O'Kelly
  • 41,274
  • 9
  • 83
  • 114
  • From what I see, `HttpUnauthorizedResult` just redirect to the login page, it does not set the status to 401. In this case I don't want the login page because the user is already logged. He just don't have the rights to see x data. Maybe 401 is not a good thing in this case, I am not sure. – Johnny5 Dec 05 '11 at 20:07
  • The HttpUnauthorizedResult merely sets the response code to 401 (Unauthorized), since the user is not authorized Asp.Net will display the login page for the user to become authorized to see the information they requested. – Rich O'Kelly Dec 05 '11 at 21:36