Search code examples
asp.net-mvcauthorize-attribute

MVC Reroute to action when user isn't authorized

I'm currently working on setting up permissions for my web app. Not everyone needs to have access to certain pages, such as creating/editing/deleting (the usually) or adding new rights to users. I have a table in my database that keeps track of the users and their role/rights. I am overriding the AuthorizeAttribute. What I would like to happen is when the user is not authorized to access a page is for them to be redirected back to the page they were just at and a alert show saying they don't have access.

Example: If they are on the Home Page and click the Add New Something Button, if they don't have rights they will be directed back to the Home Page with the error.

To make this work I need to get access to the previous action/controller names since the previous page may never be the same.

Current custom AuthorizeAttribute HandleUnauthorizedRequest Method

protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
    filterContext.Result = new RedirectToRouteResult(
                                new RouteValueDictionary {
                                    { "action", filterContext.RouteData.Values["action"] },
                                    { "controller", filterContext.RouteData.Values["controller"] }
                                });
}

This gets me the action/controller they are trying to access, am I able to get where they are coming from?

Solution

  • Using Klings and Stephen.vakil advice I have:

    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
    Uri requestUrl = filterContext.HttpContext.Request.UrlReferrer;
    if (requestUrl != null)
    {
        filterContext.Result = new RedirectResult(requestUrl.ToString());
    }
    else
    {
        filterContext.Result = new RedirectToRouteResult(
                                    new RouteValueDictionary {
                                        { "action", "NotAuthorized" },
                                        { "controller", "Admin" }
                                    });
    }
}

    If there was a referrer then take them back to that page, but I still need a popup to appear when they reach this page. I know that it can be done in each individual view with javascript and the alert(), but I am looking for something that can be done in one place without adjusting the other views if possible. If not, send to a generic page stating they aren't authorized.