How to return 403 Forbidden response as IActionResult in ASP.NET Core

Question

I would like to return a 403 Forbidden to the client when trying to perform an invalid operation. What is the method I need to use?

I searched over the internet but I found only these for MVC 5:

If the return type for your web api method is HttpResponseMessage then you need to use the below code:

 return Request.CreateErrorResponse(HttpStatusCode.Forbidden, "RFID is disabled for this site."); Or if the return type for your web api method is IHttpActionResult then you need to use the below code return StatusCode(HttpStatusCode.Forbidden,"RFID is disabled for this site.");

How to return 403 for IActionResult type:

 public IActionResult Put(string userid, [FromBody]Setting setting) { var result = _SettingsRepository.Update(userid, setting); if (result == true) { return Ok(201); } else { return BadRequest(); } }

Answer 1

When you want to respond with a HTTP 403 status and allow ASP.NET Core's authentication logic to handle the response with its forbidden handling logic (can be configured in your Startup class, and may cause a redirect to another page), use:

return Forbid();

(same applies to Unauthorized() )

---

When you want to respond with a HTTP 403 status code from an API and do not want the ASP.NET Core authentication logic to perform any redirect or other action, use:

return StatusCode(403);

// or with developer-friendly type
return StatusCode(StatusCodes.Status403Forbidden);

// or as an api-friendly error response
return Problem(
    type: "/docs/errors/forbidden",
    title: "Authenticated user is not authorized.",
    detail: $"User '{user}' must have the Admin role.",
    statusCode: StatusCodes.Status403Forbidden,
    instance: HttpContext.Request.Path
);

The latter example produces a client error response .

Answer 2

Alternative to MstfAsan's answer is to use:

return Forbid();

It is a method on the controller base class that does the same thing.

Or

return StatusCode(403);

If you want to return a message, then you must use StatusCode .

Answer 3

You can use return new ForbidResult(); Class declaration is

public class ForbidResult : ActionResult, IActionResult

For more spesific usages visit https://learn.microsoft.com/en-us/aspnet/core/api/microsoft.aspnetcore.mvc.forbidresult

Answer 4

Simply you can use ObjectResult to return a custom response with a status code.

See the syntax,

return new ObjectResult("Message") {StatusCode = YOUR_STATUS_CODE };

Note - You can pass an object also,

return new ObjectResult(your_model) {StatusCode = YOUR_STATUS_CODE };

Example:

public async Task<IActionResult> Post([FromBody] SomeData _data)
{
     // do your stuff

    // return forbidden with custom message
    return new ObjectResult("Forbidden") { StatusCode = 403};
}

Answer 5

If you don't return IActionResult as result, you can use the following code:

public List<SomeModel> GetModels()
{
   ... 
   ... // check logic
   ...

   Response.StatusCode = 403;
   return new List<SomeModel>();
}

Answer 6

Having the same issue when migrate from asp net mvc to net core 5. As a decision you can inherit from ObjectResult:

public class ForbidActionResult : ObjectResult
{
    public ForbidActionResult(int statusCode = (int)HttpStatusCode.Forbidden, string errorMessage = null) : 
        base(errorMessage ?? "User is not allowed to enter this page."))
    {
        StatusCode = statusCode;
    }

    public override async Task ExecuteResultAsync(ActionContext context)
    {
        await base.ExecuteResultAsync(context);
    }
}

and return it as IActionResult:

[HttpGet]
public IActionResult Get(int bookId)
{
    var book = dbContext.BookRepository.Find(bookId);

    if (!CurrentUser.CanEditAsClient(book))
    {
        return new ForbidActionResult();
    }

    return Ok();
}