If a user is logged in and the ChangePasswordRequired flag is set, i need to disregard the current action and redirect them to the ChangePassword action.
In other words, I do not want the user to be able to do anything until he or she changes his or her password.
Which method should my base controller override and how should I handle the redirect?
You should create your own action filter.
The exact type of action filter you want to use is one that implements IAuthorizationFilter and the method you want to use it the OnAuthorizing() or close. This filter type is executed before all the others.
Instead of the [Authorize] filter you would use your own filter. Be sure to make your flag check and whether the user is authenticated (Request.IsAuthenticated)
Kindness,
Dan
I would use an actionfilter that you add to every controller class that should implement this behaviour. You can read some more on at this blog post by Phil Haack
Related
Hi,
For a view that will be submited I have two actions with the same name but one of them have this attribute :
[AcceptVerbs(HttpVerbs.Post)]
In the nonPost action I usually makes some validations where the User will be redirect to another action if its not correct, for example validating that the current object in edit is able to be changed.
Is it true that I need to make the exact same validations in the post Action to be sure that tha page is not hacked with some sort of custom post?
If so, how du u usually handle this? I do know about AuthorizeAttribute but the validations I need to do is specific for this action.
Is it true that I need to make the exact same validations in the post
Action to be sure that tha page is not hacked with some sort of custom
post?
Every controller action that modifies some state on the server and which requires authorization must perform this authorization.
I do know about AuthorizeAttribute but the validations I need to do is
specific for this action.
Then write a specific Authorize attribute for those 2 actions (as apparently you have the same authorization logic for the 2 actions).
But there's something weird about your description. You said that if authorization fails in the GET action you redirect. But when you redirect you obviously cannot invoke the POST action because redirect means GET.
I want to apply an action filter on one of my ActionResult methods.
I want to be able to pass to the ActionFilterAttribute the currently logged in user id.
Is there either a way I can pass the user to the attribute or have the attribute pick up the logged in user?
See:
MVC: creating a custom [AuthorizeAttribute] which takes parameters?
Lol, didn't realize I sent you on a double hop, direct link:
How to pass parameters to a custom ActionFilter in ASP.NET MVC 2?
Note that there are two different ActionFilterAttributes:
System.Web.Http.Filters.ActionFilterAttribute does not have an HttpContext property
while
System.Web.Mvc.ActionFilterAttribute does
If you are having trouble figuring out how to get the http context from within your filter its probably because you are using the wrong one.
What about:
HttpContext.Current.User
I need that every action in a controller checks for a specific condition.
If that condition is not met, the user must be redirected a specific action.
How do I do this without having to check the result of that condition in every action?
While writing this, it occourred to me that I could user an Attribute like the AuthorizeAttribute.
Do you have any thoughts on this? Is this a good idea?
You can create a custom class ActionFilterAttribute that overrides the OnActionExecuting method. You can use the Result property for the ActionFilterContext to have it redirect to the appropriate View.
In certain Controller I have CRUD methods. In order to access these methods user needs to be logged in. This is why I used [Authorize] attribute for this controller. Now I need additional attribute which would check if item that user wants to view/delete/update belongs to him.
Is it possible and recommended to do this with attribute or you would suggest using check methods inside each method? If you suggest using attribute, could you please provide me some links/instructions?
EDIT:
Ofcourse, if attribute returns false than I don't want to redirect user to login page but show him an error message...
It can be done with a custom Authorize attribute, but it's much cleaner to put the logic inside your controller methods.
The attribute is related to the action being called (the controller class method). On that basis any attribute relating to the user's ownership of the object being manipulated (from your Model) should really be on the entity/class that the user is attempting to manipulate. You'll probably find it easier to validate the user within the Model method rather than using an attribute to achieve this.
In my opinion it is possible, just google for 'Custom Authorize Attribute'.
But maybe it is better to query your database with something like this:
ContextOrSession.Query<Something>.Where(Something.Groups.Intersect(User.Groups).Count>0)
I want to make the roles default for my controller class to "Administrators, Content Editors"
[Authorize(Roles = "Administrators, Content Editor")]
I've done this by adorning the controller with the attribute above. However, there is one action that I want to be available to all (namely "View"). How can I reset the Roles so that everyone (including completely unauthorized users) have access for this action.
Note: I know I could adorn every single action other action with the authorize attribute above but I don't want to have to do that all the time. I want all of the controllers actions to be unacessible by default so that if anyone adds an action they have to make a considered decision to make it available to the general public.
MVC4 has a new attribute exactly meant for this [AllowAnonymous]
[AllowAnonymous]
public ActionResult Register()
http://blogs.msdn.com/b/rickandy/archive/2012/03/23/securing-your-asp-net-mvc-4-app-and-the-new-allowanonymous-attribute.aspx
You can place the Authorize attribute on the action methods. Not just at the class level.
So, move the attribute from the controller class to just the action methods you want to secure.
The only solution I can think of so far is to create and register another controller so that I have one for anonymous access, and one for authorized access but that's not quite as elegant as I would have liked.