Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Shaishav Karnani from digitallymedia.com 348 posts 1627 karma points
    Jun 19, 2014 @ 15:43
    Shaishav Karnani from digitallymedia.com
    0

    MemberAuthorize Redirection

    Hi 

    I have added a MemberAuthorise Attribute and allowed list of groups.
    ex:-
            [MemberAuthorize(AllowGroup="Admin,SuperUser")]
            public ActionResult Protect()
            {

    If i am login, and have access to the group it works fine.
    If i am not login, it redirect me back to login page
    However, if I have logged in but don't have access to the group then it shows a error page with message "This type of page is not served.". I wanted to redirect user to a custom page.

    I have checked on the web and found  below article that does work well for Umbraco User Authorise. 
    http://blog.bartdemeyer.be/2013/03/securing-backend-pages-in-mvc-for-umbraco-4-11-1/

    But I need for Member Authorise. Please can you let me know any suggestions to fix this issue.

     

     

     

     

  • Andy Butland 364 posts 1983 karma points MVP 4x c-trib
    Jun 19, 2014 @ 16:17
    Andy Butland
    0

    My first thoughts here are you can't do this with the attribute by itself.  It's throwing a 403 error I suspect, and is probably more intended to prevent people from accessing something via URL tampering.  In other words, members in the wrong groups shouldn't be able to link to these protected resources due to logic elsewhere in your application that will show or hide the links to them, but if somehow they do by entering a URL directly, this is the security protection.

    Seems to me for your scenario you would need to just use the attribute without the group parameter (i.e. allow allow groups) - to handle non-logged in users.  But then in your controller action - or perhaps in a custom attribute you write and add after the built-in one - you check the group the user is in and redirect as appropriate.

    Hope that helps

    Andy

     

  • Matthew Kirschner 323 posts 609 karma points
    Jul 02, 2015 @ 13:47
    Matthew Kirschner
    0

    This topic is a year old, but I wonder if there have been any improvement in MemberAuthorize that might allow for an unauthorized member redirect rather than throwing a 403.

  • Henrik Bayer Nielsen 3 posts 74 karma points
    Apr 15, 2020 @ 10:08
    Henrik Bayer Nielsen
    0

    I just had this issue and as it's still top 1 result on Google I thought I would share my result.

    I created my own custom authorize attribute just like the current "MemberAuthorize", only I left out the HandleUnauthorizedRequest override that is in Umbraco's own MemberAuthorize attribute.

    Here's the code:

     public class CustomMemberAuthorizeAttribute : AuthorizeAttribute
     {
        /// <summary>
        /// Comma delimited list of allowed member types
        /// </summary>
        public string AllowType { get; set; }
    
        /// <summary>
        /// Comma delimited list of allowed member groups
        /// </summary>
        public string AllowGroup { get; set; }
    
        /// <summary>
        /// Comma delimited list of allowed members
        /// </summary>
        public string AllowMembers { get; set; }
    
        protected override bool AuthorizeCore(HttpContextBase httpContext)
        {
            if (AllowMembers.IsNullOrWhiteSpace())
                AllowMembers = "";
            if (AllowGroup.IsNullOrWhiteSpace())
                AllowGroup = "";
            if (AllowType.IsNullOrWhiteSpace())
                AllowType = "";
    
            var members = new List<int>();
            foreach (var s in AllowMembers.Split(','))
            {
                if (int.TryParse(s, out var id))
                {
                    members.Add(id);
                }
            }
    
            var helper = Current.Factory.GetInstance<MembershipHelper>();
            return helper.IsMemberAuthorized(AllowType.Split(','), AllowGroup.Split(','), members);
        }
     }
    

    And then you use it like this in a controller:

    [CustomMemberAuthorize(AllowGroup = "Admin")]
    

    Finally you need to set the correct route for your login page in the Web.config here:

     <authentication mode="Forms">
      <forms name="yourAuthCookie" loginUrl="yourcustomloginpageurl" protection="All" path="/" />
     </authentication>
    
  • Dhanesh Kumar MJ 93 posts 310 karma points
    Jun 26, 2020 @ 18:29
    Dhanesh Kumar MJ
    0

    Hey Shaishav

    Is this worked?

Please Sign in or register to post replies

Write your reply to:

Draft