i am trying to build custom AuthorizAttribute and overriding AuthorizeCore it's working fine every where but when i went to access restrict url which is not permitted without specific role, it allow me to go there. like when i hit URL "http://localhost:8758/Classified/Attributes" it requires admin role but my code allowing to access it without admin role. Am doing something wrong? here is my code.
using System;
using System.Web;
using System.Web.Mvc;
using Classified.Web.Services;
namespace Classified.Web
{
public class CustomAuthorizeAttribute : AuthorizeAttribute
{
public IFormsAuthenticationService AuthenticationService { get; set; }
public string RequiredRole;
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if (httpContext == null) throw new ArgumentNullException("httpContext");
AuthenticationService = new FormsAuthenticationService(new HttpContextWrapper(HttpContext.Current));
var user = AuthenticationService.GetAuthenticatedUser();
if (user == null)
return false;
foreach (var i in user.Roles)
{
if (i.RoleName == RequiredRole)
{
return true;
}
}
return false;
}
}
I got solution by my self...
There was a little mistake i just forgot to apply authorize before controller.
Something like that.
[Authorize] public class AdminController : Controller { . . .