0

I'm wanting to require that all users have some additional information filled out before they proceed to ANY section of the site that requires authentication.

If possibly I'm wanting to catch on [Authorize] annotations, but ignore any @User.IsInRole("something")

Is there a method that I can override in Global.asax or ?

I'm only hoping to grab the annotations because my only use for .IsInRole() is to display different info to them and I want the links there so they actually see what is needed to get to the annotations. Hope this makes sense (kinda tired).

Jared
  • 5,840
  • 5
  • 49
  • 83

1 Answers1

0

You can override the AuthorizeAttribute itself; that'll give you access to the OnActionExecuting() method that gets fired when an action marked with [Authorize] gets called. From there you can either add your own auth logic or call through to the base methods, and then redirect to the appropriate error or form if the extra data needs filling in. You should be able to tack on their original request as a return URL query parameter so that the user can continue to wherever they were going once the extra data is taken care of. You'll then need to replace all uses of [Authorize] with this custom attribute, but find and replace should take care of that.

anaximander
  • 7,083
  • 3
  • 44
  • 62
  • I have actually already implemented my own `[Auth()]` attribute. I was hoping however to make sure that if anyone else did development (or I forgot) there was something globally that catch the error. – Jared Apr 25 '13 at 13:47
  • What we usually go with and is a bit better from security perspective is invert the attribute. That way you don't specify it on controllers requiring authentication, but on those that don't. That way devs don't have to remember and find out very fast if they try to access something and can't. – Jakub Apr 26 '13 at 09:21