0

In my FilterConfig, I define a global authorize attribute. By doing that, I disallow anonymous access to all controllers by default - so that users need to log in.

public class FilterConfig
{
    public static void RegisterGlobalFilters(GlobalFilterCollection filters)
    {
        filters.Add(new RedirectToHomeOnCryptographicExceptionAttribute());
        filters.Add(new System.Web.Mvc.AuthorizeAttribute());
    }
}

Then I have my controller class. I want one method to be restricted to users who have the role Admin.

public class FilesController : Controller
{
        [Authorize(Roles="Admin")]
        public ActionResult TestAccess()
        {
            if (!User.IsInRole("Admin"))
                return Content("Authorization not working as expected");

            return Content("hello");
        }
}

When I now log in with a non-admin user and open /Files/TestAccess, I get "Authorization not working as expected". That's strange, I would have expected the [Authorize(...)] on the method to allow only admins.

How can I prevent non-admins from accessing my controller action?

I'm using Brock Allen's MembershipReboot for login and user management.

LTR
  • 1,226
  • 2
  • 17
  • 39
  • Have you wanted to prevent entire non-admin users on `TestAccess` action method instead of showing `Content`? Probably you need to add role checking in `Application_AuthenticateRequest` method inside `Global.asax`. – Tetsuya Yamamoto Nov 21 '16 at 03:27
  • `[Authorize(Roles="Admin")]` is enough to let only admins enter. In my application I only have it as this: `[Authorize(Roles="Administator")]` – Max Nov 21 '16 at 08:21

0 Answers0