Redirect users in an MVC controller

Question

I have an MVC application what restricts the user from accessing controller actions based on a value stored in the session.

I have implemented as follows:

public partial class MyBookingController : CruisesDesktopControllerBase
{
    private bool CheckLoggedIn()
    {
        return MyBookingSessionInfo.OzBookingId > 0;
    }

    public virtual ActionResult Summary()
    {
        //Ensure user is logged in
        if (!CheckLoggedIn())
            return RedirectToAction(MVC.MyBooking.Login());

        //Prepare the view model
        SummaryViewModel summaryViewModel = new SummaryViewModel
                                            {
                                                OzBookingId = MyBookingSessionInfo.OzBookingId
                                            };

        return View(summaryViewModel);
    }

}

So instead of doing the if test at the top of controller actions I want to protect, is there a way to do this where the controller action could be annotated in some way to enforce the "logged in restriction" and hence removing the if test block?

Possible duplicate of [Override Authorize Attribute in ASP.NET MVC](http://stackoverflow.com/questions/746998/override-authorize-attribute-in-asp-net-mvc) — Steve, Apr 11 '16 at 00:41
@StephenMuecke [Authorize] assumes use of the MS authentication pipeline which in this case I am not. — TheEdge, Apr 11 '16 at 00:45

BrunoLM · Answer 1 · 2016-04-11T01:41:18.350

3

You can create a custom AuthorizeAttribute and override AuthorizeCore method.

public class AuthorizeUserAttribute : AuthorizeAttribute
{
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        return /* custom logic */;          
    }

    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
    {
        if (!filterContext.HttpContext.User.Identity.IsAuthenticated)
        {
            filterContext.Result = new RedirectToRouteResult(new RouteValueDictionary(new { controller = "Error", action = "AccessDenied" }));
        }
    }
}

Then add this attribute on your action.

[AuthorizeUser]
public virtual ActionResult Summary()

edited Apr 11 '16 at 01:41

answered Apr 11 '16 at 00:42

BrunoLM

97,872
84
296
452

That does the authorization part of things. How do I control where the redirection happens when authorization fails? – TheEdge Apr 11 '16 at 00:46
That's your `/* custom logic */` – Brendan Green Apr 11 '16 at 00:49
@BrendanGreen That returns a BOOLEAN. So lets say I return FALSE. How do I control where the redirection goes? – TheEdge Apr 11 '16 at 01:08
Override `HandleUnauthorizedRequest` and do your redirection there – Brendan Green Apr 11 '16 at 01:35
So don't return the bool and just redirect to action from there? I'll give it a go..... Does not feel clean then as the attribute needs to "know" stuff about the controller which seems odd. – TheEdge Apr 11 '16 at 01:57

score 0 · Answer 2 · answered Apr 11 '16 at 01:51

You can inherit the AuthorizeAttribute and then override the following methods AuthorizeCore(HttpContextBase) - authorization logic
HandleUnauthorizedRequest(AuthorizationContext) - Logic when authorization fails

public class CheckLoggedInAttribute : AuthorizeAttribute
{
    protected override bool AuthorizeCore(HttpContextBase httpContext) 
    {
        //Authorization logic Here. You can access the session using httpContext. Return false if your authorization fails
    }

    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
    {
        //Logic when authorization fails, modify the ViewResult or something.
        base.HandleUnauthorizedRequest(filterConext)
    }
}

Redirect users in an MVC controller

2 Answers2