Search code examples
asp.net-mvcasp.net-identity-3

My Custom Authorize Attribute Always Redirects to Un authroized page

I am writing custom authorize attribute for one requirement.

As per the requirement, I need to pass all the allowed roles for that particular action method like below.

    [MyAuthorize("Admin,Reviewer")]
    public ActionResult GetFXSelldownSummaryData()
    {
        var model = (new FXSelldownSummaryBLL()).GetFXSelldownSummaryData();
        return View(model);
    }

When the user logs in, the logged in user role should be compared against all the allowed roles (in the above code, all the allowed roles are Admin, and Reviewer). If the role matches, the user can see the view, otherwise the page should be navigated to Un authorized page.

I have wrriten the custom attribute like below, everything is working fine but I am ending up with Unauthorized access page for all the requests.

Can anyone please help to identify and solve the problem!

namespace MyRequirement
{

    public class MyAuthorizeAttribute : AuthorizeAttribute
    {
        readonly string allowedRoles;
        public MyAuthorizeAttribute(string allowedRoles)
        {
            this.allowedRoles = allowedRoles;
        }

        public System.Collections.Generic.List<string> AllowedRoles
        {
            get
            {
                return this.allowedRoles.Split(',').ToList();
            }
        }

        private bool AuthorizeRole(AuthorizationContext filterContext)
        {
            var context = filterContext.RequestContext.HttpContext;
            PnLUserDetails userDetails = System.Web.HttpContext.Current.Session["PnLUserDetails"] as PnLUserDetails;
            string loggedInUserRole = userDetails.Role;
            if (AllowedRoles.Contains(loggedInUserRole))
                return true;
            return false;
        }

        public override void OnAuthorization(AuthorizationContext filterContext)
        {
            base.OnAuthorization(filterContext);
            if (filterContext == null)
                throw new ArgumentException("filterContext");
            bool authStatus = AuthorizeRole(filterContext);
            if(!authStatus)
            {
                filterContext.Result = new HttpUnauthorizedResult();
                return;
            }
        }
    }
}
Solution

  • Remove the call to 

    base.OnAuthorization(filterContext);

    Change the code like this

        public override void OnAuthorization(AuthorizationContext filterContext)
    {
        // This line is not needed, you are handling the authorization
        // This is the line that will give you the unauthorized access by default
        // base.OnAuthorization(filterContext);
        if (filterContext == null)
            throw new ArgumentException("filterContext");
        bool authStatus = AuthorizeRole(filterContext);
        if(!authStatus)
        {
            filterContext.Result = new HttpUnauthorizedResult();
            return;
        }
    }