1

I have recently implemented Roles in MVC application. The controller has various action methods like below:

public class MyController : Controller

   [Authorize(Roles = "User, SuperUser")]
   public ActionResult DoActionOne() {
        // This can be invoked by both user and superuser
   }

   [Authorize(Roles = "SuperUser")]
   public ActionResult DoActionTwo() {
         // This can't be invoked by user
         // Application will redirect to /Login automatically when 'User' invokes it
   }
}

Now, this works good, as desired.

But, I want that when User is redirected to /Login due to insufficient Role to access Action method DoActionTwo in controller, I want to insert a query param, which can be read by /Login page to show message to user like "Invalid Permissions / Authorization Required". It may be any custom message.

Any ideas ?

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
SimpleGuy
  • 2,764
  • 5
  • 28
  • 45

1 Answers1

0

@SimpleGuy - Check the below code with your "OnAuthorizationAsync" method.

You can manage all the flag with unnecessary request

public async Task OnAuthorizationAsync(AuthorizationFilterContext context)
    {
        if (context == null)
        {
            throw new ArgumentNullException(nameof(context));
        }

        // Allow Anonymous skips all authorization
        if (context.Filters.Any(item => item is IAllowAnonymousFilter))
        {
            return;
        }

        var policyEvaluator = context.HttpContext.RequestServices.GetRequiredService<IPolicyEvaluator>();
        var authenticateResult = await policyEvaluator.AuthenticateAsync(Policy, context.HttpContext);
        var authorizeResult = await policyEvaluator.AuthorizeAsync(Policy, authenticateResult, context.HttpContext, context);

        if (authorizeResult.Challenged)
        {
            // Return custom 401 result
            context.Result = new CustomUnauthorizedResult("Authorization failed.");
        }
        else if (authorizeResult.Forbidden)
        {
            // Return default 403 result
            context.Result = new ForbidResult(Policy.AuthenticationSchemes.ToArray());
        }
    }

This is your main code to change

if (authorizeResult.Challenged)
        {
            // Return custom 401 result
            context.Result = new CustomUnauthorizedResult("Authorization failed.");
        }
        else if (authorizeResult.Forbidden)
        {
            // Return default 403 result
            context.Result = new ForbidResult(Policy.AuthenticationSchemes.ToArray());
        }
Nimantha
  • 6,405
  • 6
  • 28
  • 69
Purvesh Sangani
  • 295
  • 1
  • 9