VoodooChild
answered #1.
For #2 -
What you can do is check if the user is logged on the login page and display a different message or an entirely different page (or even do a redirect to a different action).
Alternatively you can create your own authorization attribute. This will require that you use this attribute everywhere instead of the default AuthorizeAttribute
public class CustomAuthorizeAttribute : AuthorizeAttribute
{
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
if (filterContext.HttpContext.Request.IsAuthenticated)
{
filterContext.Result = new RedirectToRouteResult(
new RouteValueDictionary
{
{ "action", "ActionName" },
{ "controller", "ControllerName" }
});
}
else
base.HandleUnauthorizedRequest(filterContext);
}
}
Update:
Just thought of another method. When a redirect is done to login
page from a different page, a querystring ReturnUrl
is also passed. So you can also check if it contains something AND the user is authenticated, chances are the user didn't have permission to view that page.
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…