In MVC we decorate actions using AuthorizeAttribute. When a given user is not authorized for a particular action it calls HandleUnauthorizedRequest method. I have overridden this method in my custom class called CustomAuthorizeAttribute that inherits from AuthorizeAttribute. With in the scope of my overridden HandleUnauthorizedRequest method how do I get all the roles that current user is not part of which made him/her unauthorized? For example if I decorate my action as [CustomAuthorize(Roles = "AreaUser")] and I come to my HandleUnauthorizedRequest I would like to know that the user is not part of "AreaUser" so that I can display that on a redirected permission denied page.
2
votes
What am I missing? You know they're not a member of AreaUser, because your attribute hard codes "AreaUser" as the roles that are allowed, thus if you get an Unauthorized, you know for a fact they're not a member of AreaUser.
- Erik Funkenbusch
Well, I may decorate several actions with one or more different roles with the same CustomAuthorize. I want to access that list of roles in HandleUnauthorizedRequest.
- user3885927
And what's wrong with the Roles property?
- Erik Funkenbusch
nothing wrong, just found that and David posted as well.
- user3885927
1 Answers
2
votes
The AuthorizeAttribute has a property called Roles that you should be able to check to get the information you want. As mentioned by @EricFunkenbusch you can assume that the user is not in any of those roles.
https://msdn.microsoft.com/en-us/library/dd460323(v=vs.118).aspx
