22. February 2016
.net , c# , asp.net , mvc
I have been using Authorize attribute heavily to manage user authorizations, but at times just Authorize attribute is not enough. For an instance, I want user to access the Edit page of any entity which he created. In other words I don’t want him to edit records created by other users.
We cannot do this using Authorize only because it is design to limit access to an action regardless of what data is being passed to it. Thus, in this case you can maintain CreatedUser field in the record table and check on the Action if the logged in user is authorize to do this edit. Here is the code for that.
if (myrecord.OwnerId != User.Identity.Name)
return new HttpUnauthorizedResult();
You can return HttpStatusCodeResult(403) too but that will only display the default access denied page of IIS, which is not we want and this is where “HttpUnauthorizedResult” comes handy.