Don't miss out Virtual Happy Hour this Friday (April 26).

Try our conversational search powered by Generative AI!

AI OnAI Off

Display 'Insufficient Permission' Messaging instead of redirecting to login?

swc
swc
Vote:
 

We have a site where users can have multiple roles, and certain content is only available to certain user levels and above.  This has been implemented so that when the content authors enter the content they set the appropriate permissions for the user groups before publishing.

This all works as expected, but when a user who doesn't have a necessary role hits a page, he is redirected to the login page with no explanation as to why.  Since they are already logged in, this is confusing to them.

Is there a way I can capture the page view and detect that there was insufficient access level and then message the user appropriately by redirecting them to a a more obvious error message?  At a minimum, I'd rather return a 401 than redirect to the login screen, but really I'd rather just redirect them to a page with messaging indicating that the content they are trying to reach is only available to certain users.

Seems like this should be do-able, I just not sure how and what hooks to use.

Thanks in advance!

#89185
Aug 08, 2014 21:32
David Knipe
David Knipe
Vote:
 

If you are using MVC then you can inherit the EPiServer AuthorizeContentAttribute, implement IAuthorizationFilter and inherit a custom OnAuthorisation method that you can then use to redirect to your login page. This attribute needs to be applied to each page controller where you want this rule to be applied. A very quick/simple POC can seen below that does this:

public class CustomAuthorizeContentAttribute : AuthorizeContentAttribute, IAuthorizationFilter
{
    public void OnAuthorization(AuthorizationContext filterContext)
    {
        base.OnAuthorization(filterContext);
        //Check if user doesn't have authorisation to the content
        if (filterContext != null && filterContext.Result != null && filterContext.Result.GetType() == typeof(HttpUnauthorizedResult))
        {
            // Check if the user is logged in
            var context = filterContext.HttpContext;
            if (context.User != null && context.User.Identity != null && context.User.Identity.IsAuthenticated)
            {
                //User is authenticated and they don't have access so redirect to not authorised page
                filterContext.Result = new RedirectResult("/not-authorised-page/");
            }
        }
    }
}

Example controller (from AlloyMVC):

[TemplateDescriptor(Inherited = true)]
[CustomAuthorizeContentAttribute]
public class DefaultPageController : PageControllerBase
{
    //Code
}

If you are using WebForms you can override AccessDenied on PageBase: http://world.episerver.com/Documentation/Class-library/?documentId=cms/7.5/EC4A185.

Let me know how you get on.

#89186
Aug 10, 2014 14:55
swc
swc
Vote:
 

Thanks!  I am using MVC, and ended up finding Tarjei Olsen's post which outlined overriding a controller's OnAuthorize once I changed my search query to Access Denied, but your solution looks even a little simpler.  Thanks a ton!

#89305
Aug 13, 2014 6:09
This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.