ASP.NET MVC application - user authorization/permissions

Question

I have an ASP.NET MVC web application.

There's a welcome page in my application, and i wish for the user to complete some steps on that page before allowing him to use the application.

I'm trying to accomplish 2 things:

1. Ensure that the user is always redirected to that page until he completes the required steps. Note: the user is logged in when he is at the welcome page.

2. Ignore all requests made by that user to any of the controllers, except for a few specific requests to a specific controller.

What is the correct way to do the above?

Thanks.

Answer 1

What i have done is:

1. Create a class that derives from Controller and add the logic to redirect if not Logged in:

    public class CustomController : Controller { protected override void OnActionExecuting(ActionExecutingContext filterContext) { if (!LoggedIn) //Here you decide how to check if the user is Logged in { filterContext.Result = new RedirectToRouteResult(new RouteValueDictionary(new { controller = "YourLogInControllerName", action = "YourLoginActionName" })); } else { base.OnActionExecuting(filterContext); } } } 

2. Then all Controllers derive from this CustomController class.

Answer 2

听起来，如果您必须确保访问者完成这些“必需的步骤”，则可以将其用于会话，或其他（更持久的）存储，以便可以在完成访问后将其存储。

Answer 3

I created a custom authorise attribute that redirected the use to my login page if they didn't meet the criteria I set. This then allowed me to use [AuthorizeAdminArea] on my base controller which stopped access to all areas. I then used [AllowAnonymous] to allow access to the login area.

Take a look at the SimpleMemshipProvider

Answer 4

Use a Role and only allow access to the other controllers if the user has this Role . Add the user to this Role when they have completed the necessary steps.

See http://msdn.microsoft.com/en-us/library/9ab2fxh0.aspx