i have a project using ASP.Net MVC3 and using membership for roles. i use authorize in every controller. eg:
[Authorize(Roles = "Administrator")]
public ActionResult Index(string q, int i)
{
return View(model);
}
if someone doesnt have role for administrator, then it will redirect to login page by default. how to change it,so it will redirect into Views/Shared/UnAuthorize.cshtml ? or maybe if someone doesnt have role for administrator, it will show message box (alert) ?
thanks in advance.
Just change the page that have to be shown in the web.config (check that the route exists)
<authentication mode="Forms">
<forms loginUrl="~/UnAuthorize" timeout="2880" />
</authentication>
If you, instead, want to redirect to a specific path for every roles you can extend the AuthorizeAttribute with your own. Something like this (not tested, I write this to give you an idea)
public class CheckAuthorize : ActionFilterAttribute
{
public Roles[] Roles { get; set; }
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
//Your code to get the user
var user = ((ControllerBase)filterContext.Controller).GetUser();
if (user != null)
{
foreach (Role role in Roles)
{
if (role == user.Role)
return;
}
}
RouteValueDictionary redirectTargetDictionary = new RouteValueDictionary();
if user.Role==Role.Administrator
{
redirectTargetDictionary.Add("action", "Unauthorized");
redirectTargetDictionary.Add("controller", "Home");
}
else
{
redirectTargetDictionary.Add("action", "Logon");
redirectTargetDictionary.Add("controller", "Home");
}
filterContext.Result = new RedirectToRouteResult(redirectTargetDictionary);
}
}
i solved my problem. i only do this :
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Mvc;
public class MyAuthorize : AuthorizeAttribute
{
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
//you can change to any controller or html page.
filterContext.Result = new RedirectResult("/cpanel/roles/unauthorize");
}
}
and apply MyAuthorize to class or action:
[MyAuthorize]
public class AdminController :Controller
{
}
thats it.
Well, you can inherit from AuthorizeAttribute and override HandleUnauthorizedRequest which is responsible for redirection of unauhorized/unauthenticated requests. i think this question will be helpful to you
My own version, based on ntep vodka's:
public class CustomAuthorizeAttribute : AuthorizeAttribute
{
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
if(IsUserAuthenticated(filterContext.HttpContext))
{
filterContext.Result = new RedirectResult("/Account/InvalidRole");
}
else
{
base.HandleUnauthorizedRequest(filterContext);
}
}
private bool IsUserAuthenticated(HttpContextBase context)
{
return context.User != null && context.User.Identity != null && context.User.Identity.IsAuthenticated;
}
}
This way I get standard redirect to login page for not authenticated users, and custom redirect for users that are authenticated but don't have the appropriate role for the action.
The code below helped and here is the reference in stackoverflow ASP.NET MVC 4 custom Authorize attribute - How to redirect unauthorized users to error page?
public class CustomAuthorize: AuthorizeAttribute
{
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
if(!filterContext.HttpContext.User.Identity.IsAuthenticated)
{
base.HandleUnauthorizedRequest(filterContext);
}
else
{
filterContext.Result = new RedirectToRouteResult(new
RouteValueDictionary(new{ controller = "Error", action = "AccessDenied" }));
}
}
}
I use this method and it is very easy to implement.
Change your default route to logon page in global.asax
来源:https://stackoverflow.com/questions/7656163/asp-net-mvc-3-redirect-unauthorized-user-not-to-loginurl