4

I want to know how to redirect users. I have a Controller Index() and I want only users with the role "Student" can enter there! So I use 

[Authorize(Roles="Student")]

I wonder how can I redirect users who do not have this role to the homepage

fabriciorissetto
  • 8,005
  • 4
  • 58
  • 69
Clowning
  • 131
  • 1
  • 14
  • Check out blowdarts answer: https://stackoverflow.com/questions/31464359/custom-authorizeattribute-in-asp-net-5-mvc-6 – rism Jan 04 '16 at 20:30

3 Answers3

7

MVC5 (and older):

You can do this by changing the loginUrl attribute on your web.config. Change it to the desired route:

<authentication mode="Forms">
  <forms loginUrl="~/Home/Index" timeout="2880" />
</authentication>

MVC6:

In MVC6 you can try this (inside the Startup.cs):

public void ConfigureServices(IServiceCollection services)
{       
    services.Configure<CookieAuthenticationOptions>(options =>
    {
        options.LoginPath = new PathString("/Home/Index");
    });
}
fabriciorissetto
  • 8,005
  • 4
  • 58
  • 69
  • In MVC 6, the web.config don't exist! – Clowning Jan 04 '16 at 19:58
  • Thanks Fabrice ! What library should I install? because PathString and CookieAuthenticationOptions aren't reconize ! – Clowning Jan 04 '16 at 20:20
  • I think both namespaces are from `Microsoft.Owin`. – fabriciorissetto Jan 04 '16 at 20:27
  • Okay thanks, my visual studio have some bugs... And do you know the attribut to modify the error Path ? for the moment if my user has don't access ASP redirect my user to "Account/AccessDenied" ! – Clowning Jan 04 '16 at 20:41
  • Yes @Clowining, its in the Startup.cs too: http://stackoverflow.com/questions/29421164/mvc-6-404-not-found Please mark it as Answered if it answered your question. By the way, I'm Fabric**io** not Fabric**e** :P – fabriciorissetto Jan 05 '16 at 12:18
  • Oh thanks you FabricIO :p ! But my problem it's not resvoled ! I think i must to override or create a new [Authorize] Tag ! Do you have an idea to make this in MVC 6? :) – Clowning Jan 05 '16 at 17:38
  • You don't need to create a new [Authorize] attribute. – fabriciorissetto Jan 06 '16 at 17:01
1

There is a method floating around that works for MVC5. I assume it would work for MVC6 as well.
Within your Controller, create a Custom Auth method like so.

    public class YourCustomAuthorize : AuthorizeAttribute
{
    public override void OnAuthorization(AuthorizationContext filterContext)
    {
        // If they are authorized, handle accordingly
        if (this.AuthorizeCore(filterContext.HttpContext))
        {
            base.OnAuthorization(filterContext);
        }
        else
        {
            // Otherwise redirect to your specific authorized area
            filterContext.Result = new RedirectResult("~/YourController/Unauthorized");
        }
    }
}

Then change your data annotations to

[YourCustomAuthorize(Roles = "Admin")]
public class UserController : Controller
{
     // Omitted for brevity
}
armstb01
  • 573
  • 6
  • 11
-6

Did you try to use session for this?

I'm guessing you have login page then after login classify the session ASAP

then simple If condition will do.

<%If Session("userRole")="Student" Then%>
  This is the text version of the page
<%Else%>
  Response.Redirect("notavailablepage.html")
<%End If%>
Grimmjow
  • 45
  • 8
  • 3
    *NEVER* use Session for security purposes. It's insecure, and has different rules than authentication and authorization. On top of that, it's unreliable since session resets whenever the application pool does. – Erik Funkenbusch Jan 04 '16 at 19:44