I have added a MemberAuthorise Attribute and allowed list of groups. ex:- [MemberAuthorize(AllowGroup="Admin,SuperUser")] public ActionResult Protect() {
If i am login, and have access to the group it works fine. If i am not login, it redirect me back to login page However, if I have logged in but don't have access to the group then it shows a error page with message "This type of page is not served.". I wanted to redirect user to a custom page.
My first thoughts here are you can't do this with the attribute by itself. It's throwing a 403 error I suspect, and is probably more intended to prevent people from accessing something via URL tampering. In other words, members in the wrong groups shouldn't be able to link to these protected resources due to logic elsewhere in your application that will show or hide the links to them, but if somehow they do by entering a URL directly, this is the security protection.
Seems to me for your scenario you would need to just use the attribute without the group parameter (i.e. allow allow groups) - to handle non-logged in users. But then in your controller action - or perhaps in a custom attribute you write and add after the built-in one - you check the group the user is in and redirect as appropriate.
This topic is a year old, but I wonder if there have been any improvement in MemberAuthorize that might allow for an unauthorized member redirect rather than throwing a 403.
I just had this issue and as it's still top 1 result on Google I thought I would share my result.
I created my own custom authorize attribute just like the current "MemberAuthorize", only I left out the HandleUnauthorizedRequest override that is in Umbraco's own MemberAuthorize attribute.
Here's the code:
public class CustomMemberAuthorizeAttribute : AuthorizeAttribute
{
/// <summary>
/// Comma delimited list of allowed member types
/// </summary>
public string AllowType { get; set; }
/// <summary>
/// Comma delimited list of allowed member groups
/// </summary>
public string AllowGroup { get; set; }
/// <summary>
/// Comma delimited list of allowed members
/// </summary>
public string AllowMembers { get; set; }
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if (AllowMembers.IsNullOrWhiteSpace())
AllowMembers = "";
if (AllowGroup.IsNullOrWhiteSpace())
AllowGroup = "";
if (AllowType.IsNullOrWhiteSpace())
AllowType = "";
var members = new List<int>();
foreach (var s in AllowMembers.Split(','))
{
if (int.TryParse(s, out var id))
{
members.Add(id);
}
}
var helper = Current.Factory.GetInstance<MembershipHelper>();
return helper.IsMemberAuthorized(AllowType.Split(','), AllowGroup.Split(','), members);
}
}
And then you use it like this in a controller:
[CustomMemberAuthorize(AllowGroup = "Admin")]
Finally you need to set the correct route for your login page in the Web.config here:
MemberAuthorize Redirection
Hi
I have added a MemberAuthorise Attribute and allowed list of groups.
ex:-
[MemberAuthorize(AllowGroup="Admin,SuperUser")]
public ActionResult Protect()
{
If i am login, and have access to the group it works fine.
If i am not login, it redirect me back to login page
However, if I have logged in but don't have access to the group then it shows a error page with message "This type of page is not served.". I wanted to redirect user to a custom page.
I have checked on the web and found below article that does work well for Umbraco User Authorise.
http://blog.bartdemeyer.be/2013/03/securing-backend-pages-in-mvc-for-umbraco-4-11-1/
But I need for Member Authorise. Please can you let me know any suggestions to fix this issue.
My first thoughts here are you can't do this with the attribute by itself. It's throwing a 403 error I suspect, and is probably more intended to prevent people from accessing something via URL tampering. In other words, members in the wrong groups shouldn't be able to link to these protected resources due to logic elsewhere in your application that will show or hide the links to them, but if somehow they do by entering a URL directly, this is the security protection.
Seems to me for your scenario you would need to just use the attribute without the group parameter (i.e. allow allow groups) - to handle non-logged in users. But then in your controller action - or perhaps in a custom attribute you write and add after the built-in one - you check the group the user is in and redirect as appropriate.
Hope that helps
Andy
This topic is a year old, but I wonder if there have been any improvement in MemberAuthorize that might allow for an unauthorized member redirect rather than throwing a 403.
I just had this issue and as it's still top 1 result on Google I thought I would share my result.
I created my own custom authorize attribute just like the current "MemberAuthorize", only I left out the HandleUnauthorizedRequest override that is in Umbraco's own MemberAuthorize attribute.
Here's the code:
And then you use it like this in a controller:
Finally you need to set the correct route for your login page in the Web.config here:
Hey Shaishav
Is this worked?
is working on a reply...