1

In my MVC 5 application I have applied some Role filters such as:

 [Authorize(Roles = "ManageRoles")]

Now if a user does not have permission to access this role, it redirects me to the login page. This is incorrect in my application as I want to rather display an error message saying that you donot have permission to access.

Where do I change what happens if a user is not authorised to access a filter?

Do I have to implement custom filters? I would like to try and use the redirectTo action if possible so that I can have different error pages in different situations.

Zapnologica
  • 22,170
  • 44
  • 158
  • 253

3 Answers3

1

Use Custom Authorize Attribure - Ben Scheirman or Ben Cull's answer in this thread.

Also Check Mark's response to similar question, where he used HandleUnauthorizedRequest to redirect unauthorized users.

In the both the above approaches, you can redirect to any Route or Action of your interest and use HttpContent.Items[] or TempData to hold the specific error messages or values to be display on the destination page.

Community
  • 1
  • 1
ramiramilu
  • 17,044
  • 6
  • 49
  • 66
1

MVC5 has actually started to address this issue. They now include Authentication Filters in addition to Authorization Filters. These are pretty lightly documented, but my gut feeling is that this a first stab at separating authentication from authorization (up until now, ASP.NET has confused the two)

What i'm thinking is that Authentication filters will be used to control whether a user is logged in or not, and Authorization filters will be used to control what you have access to. However, it seems that this isn't yet fully realized.

Erik Funkenbusch
  • 92,674
  • 28
  • 195
  • 291
0

In your Login view, you can add logic for:

  1. Checking if the request is not authenticated
    1.1. Display login form
  2. Checking if the user is authenticated but not in the required role
    2.1. Display error message

Since you'll be automatically redirected to the login page by your Web.config settings, you can take advantage of this mechanism.

if (!Request.IsAuthenticated)
{
     //render login form
}
else
{
     <p>Error: you do not have the necessary credentials to access this resource.</p>
}

Another option would be to create your own AuthorizationAttribute. This question is similar to yours. You might find it useful.

Community
  • 1
  • 1
Andrei V
  • 7,306
  • 6
  • 44
  • 64