30

Usually I protect my Actions with [Authorize] but this time I need to check if a user is authorized inside the action.

Eg

if(userIsAuthorized) {
    //do stuff
}
else {
    //return to login page
}

I believe I am using 'Forms Authentication'

This question is kind of similar to this but none of the answers given seemed to work.

EDIT: I have done some more digging- it seems if I breakpoint on an Action that has [Authorize], the User.Identity is set, but on Actions without it, the User.Identity is empty, even if I am logged in

Community
  • 1
  • 1
elwyn
  • 10,360
  • 11
  • 42
  • 52
  • I have fixed my issue by using a hack-ish workaround, I am going to assume your answers are all correct and it is due to my strange implementation of authentication that things are strange... – elwyn Feb 05 '10 at 03:46

5 Answers5

56

If you just want to know if the user is logged in:

if (User.Identity.IsAuthenticated) { ... }

If you are trying to do anything role-specific:

if (User.IsInRole("Administrators")) { ... }

The User instance is a public property of the Controller class, so you always have access to it from a Controller you write. If no user is logged in you should have a GenericPrincipal for the User and a GenericIdentity for the User.Identity, so don't worry about checking for nulls.

Aaronaught
  • 120,909
  • 25
  • 266
  • 342
  • 1
    Again, only gives me 'true' if used within an `[Authorize]`'d Action – elwyn Feb 05 '10 at 03:29
  • @elwyn: I don't believe that's correct. I just tested it here on an action without the `[Authorize]` attribute and `User.Identity.IsAuthenticated` is `true`. Are you sure that the session is actually logged in when you are testing this? – Aaronaught Feb 05 '10 at 03:33
  • @Aaronaught Yes, just double (triple) checked, definantly logged in while trying that, and still see false – elwyn Feb 05 '10 at 03:36
  • -----In my non-[Authorize]'d Action: User.Identity {System.Security.Principal.GenericIdentity} [System.Security.Principal.GenericIdentity]: {System.Security.Principal.GenericIdentity} AuthenticationType: "" IsAuthenticated: false Name: "" -----In an Authorized one: User.Identity {System.Web.Security.FormsIdentity} [System.Web.Security.FormsIdentity]: {System.Web.Security.FormsIdentity} AuthenticationType: "Forms" IsAuthenticated: true Name: "admin" – elwyn Feb 05 '10 at 03:37
  • @elwyin: Nothing I can do reproduces the behaviour that you seem to be seeing. You do not need the `[Authorize]` attribute for `User` and `User.Identity` to be valid. Do you have any other attributes on the Controller? Have you tried doing this in a new, clean MVC project, to make sure that nothing else in your app is interfering? – Aaronaught Feb 05 '10 at 03:43
6

Request.IsAuthenticated should work for what you're trying to do.

Esteban Araya
  • 29,284
  • 24
  • 107
  • 141
  • 3
    If I do that on an Action decorated with `[Authorize]` it works fine, however if I do that on this Action (not decorated with [Authorize]) it is always false, regardless of whether I am logged in or not. – elwyn Feb 05 '10 at 03:26
1

I suggest first figuring out what kind of Authorization your using. ;)

The answer you posted is correct. From what I remember poking around the [Authorize] attribute and related ActionFilter code MVC internally calls Page.User.Identity.IsAuthenticated just like those code examples.

John Farrell
  • 24,673
  • 10
  • 77
  • 110
1

Create an attribute like this: OnActionExecuting will get executed first before other code from the action

     public class IsAuthenticatedAttribute : ActionFilterAttribute
        {
            public override void OnActionExecuting(ActionExecutingContext filterContext)
            {
               //do your validations here. and redirect to somewhere if needed. 
                filterContext.HttpContext.Response.Redirect("/") //this will send user to home.
            }
        }

on each action where you need to check, add attribute like this:

[IsAuthenticatedAttribute]
public ActionResult ActionName(parameters?)
{
     // no need to worry about checking here.
    //do you action things
}

EDIT: This one still completes the action and then only redirect it. Not so much useful.

messed-up
  • 493
  • 4
  • 12
0

Put annotation [Authorize] in every your Action. Microsoft link. Example:

public class AdministrationController : Controller
{
     // GET: User/Create
       [Authorize]
        public ActionResult Create()
        { 
     }
}
Trần Hữu Hiền
  • 872
  • 1
  • 9
  • 22