c# - Redirecting unauthorized controller in ASP.NET MVC -


i have controller in asp.net mvc i've restricted admin role:

[authorize(roles = "admin")] public class testcontroller : controller {    ...

if user not in admin role navigates controller greeted blank screen.

what redirect them view says "you need in admin role able access resource."

one way of doing i've thought of have check in each action method on isuserinrole() , if not in role return informational view. however, i'd have put in each action breaks dry principal , cumbersome maintain.

create custom authorization attribute based on authorizeattribute , override onauthorization perform check how want done. normally, authorizeattribute set filter result httpunauthorizedresult if authorization check fails. have set viewresult (of error view) instead.

edit: have couple of blog posts go more detail:

example:

    [attributeusage( attributetargets.class | attributetargets.method, inherited = true, allowmultiple = false )]     public class mastereventauthorizationattribute : authorizeattribute     {         /// <summary>         /// name of master page or view use when rendering view on authorization failure.  default         /// null, indicating use master page of specified view.         /// </summary>         public virtual string mastername { get; set; }          /// <summary>         /// name of view render on authorization failure.  default "error".         /// </summary>         public virtual string viewname { get; set; }          public mastereventauthorizationattribute()             : base()         {             this.viewname = "error";         }          protected void cachevalidatehandler( httpcontext context, object data, ref httpvalidationstatus validationstatus )         {             validationstatus = oncacheauthorization( new httpcontextwrapper( context ) );         }          public override void onauthorization( authorizationcontext filtercontext )         {             if (filtercontext == null)             {                 throw new argumentnullexception( "filtercontext" );             }              if (authorizecore( filtercontext.httpcontext ))             {                 setcachepolicy( filtercontext );             }             else if (!filtercontext.httpcontext.user.identity.isauthenticated)             {                 // auth failed, redirect login page                 filtercontext.result = new httpunauthorizedresult();             }             else if (filtercontext.httpcontext.user.isinrole( "superuser" ))             {                 // authenticated , in superuser role                 setcachepolicy( filtercontext );             }             else             {                 viewdatadictionary viewdata = new viewdatadictionary();                 viewdata.add( "message", "you not have sufficient privileges operation." );                 filtercontext.result = new viewresult { mastername = this.mastername, viewname = this.viewname, viewdata = viewdata };             }          }          protected void setcachepolicy( authorizationcontext filtercontext )         {             // ** important **             // since we're performing authorization @ action level, authorization code runs             // after output caching module. in worst case allow authorized user             // cause page cached, unauthorized user later served             // cached page. work around telling proxies not cache sensitive page,             // hook our custom authorization code caching mechanism have             // final on whether page should served cache.             httpcachepolicybase cachepolicy = filtercontext.httpcontext.response.cache;             cachepolicy.setproxymaxage( new timespan( 0 ) );             cachepolicy.addvalidationcallback( cachevalidatehandler, null /* data */);         }       }

Comments

Post a Comment

Popular posts from this blog

apache - Add omitted ? to URLs -

i working on website cms reads page name of query string, e.g. http://exmaple.com/?pagename . trying create rewrite rule rewrite ? . so, user types in /pagename , taken /?pagename try this: rewriteengine on rewritecond %{request_filename} !-d rewritecond %{request_filename} !-f rewriterule ^/?(.*) index.php?$1 [l]
Read more

redirect - bbPress Forum - rewrite to wwww.mysite prohibits login -

i using bbpress installation without wordpress integration. the redirect of rewriteengine @ forum site works: rewriteengine on rewritecond %{http_host} ^forum.mysite.com$ rewriterule (.*)$ http://www.forum.mysite.com/$1 [r=301,l] the problem login pppress. bbpress login not recognize: http://www.forum.mysite/bb-login.php . it redirects to: http://forum.mysite.com/bb-login.php . i tried permalink settings none , name based, same issue. does uses redirect in bbpress or how can eliminate "double" content , redirect permanently www.? i redirected www.forum.mysite.com forum.mysite.com , achieved eliminate "double" content.
Read more

php - How can I stop spam on my custom forum/blog? -

so have custom built forum & blog system of late has been dealing lot of spam. if wordpress use akismet, if different common platform i'm sure i'd find plugin. there kind of static class can download this? using php. i'd still go akismet, if it. uses outside of wordpress, may have pay fee it, depending on use -- check terms , conditions -- it's option , easy implement in php using api. use api key wordpress. com account access. basically, grab whichever php client library takes fancy -- use alex potsides' php5 library -- plug in key, , it's handful of lines of code. here's bare bones of validation straight 1 of live sites: ... if ($akismet) { $akismet->setcommentauthor($name); $akismet->setcommentauthoremail($session->userinfo["email"]); $akismet->setcommentauthorurl(""); $akismet->setcommentcontent($sentence);...
Read more