tags:

views:

104

answers:

2
+1  Q: 

How can I change the ASP.Net MVC Login Redirect based on role?

I have the following code I've typed into the Account Controller in my MVC project and I am in both the administrator and manager roles. When I log in I get redirected back to my home index instead of being redirected to my AdminApp index. Any ideas where I'm going wrong in my code?

[AcceptVerbs(HttpVerbs.Post)]
    [System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Design", "CA1054:UriParametersShouldNotBeStrings",
        Justification = "Needs to take same parameter type as Controller.Redirect()")]
    public ActionResult LogOn(string userName, string password, bool rememberMe, string returnUrl)
    {

        if (!ValidateLogOn(userName, password))
        {
                return View();
        }

        FormsAuth.SignIn(userName, rememberMe);
        if (!String.IsNullOrEmpty(returnUrl))
        {
            return Redirect(returnUrl);
        }
        else
        {
            if (User.IsInRole("Administrator") || (User.IsInRole("Manager")))
            {
                return RedirectToAction("Index", "AdminApp");
            }
            else
            {
                return RedirectToAction("Index", "Home");
            }

        }
    }
A: 

You need to un-nest the if statement. Revise as follows:

Change this: 

FormsAuth.SignIn(userName, rememberMe);
if (!String.IsNullOrEmpty(returnUrl))
{            
    return Redirect(returnUrl);
}        
else
{ 
    if (User.IsInRole("Administrator") || (User.IsInRole("Manager")))
    {               
     return RedirectToAction("Index", "AdminApp");     
    } 
    else          
    {                
    return RedirectToAction("Index", "Home"); 
    }     
}

to this:

if (User.IsInRole("Administrator") || (User.IsInRole("Manager")))
{               
 return RedirectToAction("Index", "AdminApp");     
} 
else          
{                
return RedirectToAction("Index", "Home"); 
}

The problem is the the line if(!String.IsNullOrEmpty(returnUrl))) is evaluating to True because the returnUrl parameter has the url of the page you came from by default.

Jeff French  2009-12-08 16:59:54
hmm. I tried and didn't work for me. I can use the User.InInRole successfully on an aspx page to show/hide links, but it's not working when I have it in a controller. Is there another way to perform this in the controller?
Ben  2009-12-08 17:54:31
Shouldn't make much difference, but you can try Roles.IsUserInRole(). However, I think this is the same method that ends up getting called by the User.IsInRole() method.
Jeff French  2009-12-08 19:12:58
+4  A: 

The reason your code is not working as expected is because the User has technically not been signed in and authenticated yet. Say what? But you did call SignIn!

FormsAuth.SignIn(userName, rememberMe); - which in this case is just a wrapper for FormsAuthentication.SetAuthCookie(userName, createPersistentCookie); - only sets the asp.net authorization cookie on the users browser as part of the response. It is only for requests after this point that the user's browser will have the cookie, causing the asp.net membership to properly set up the 'User' object. All of your code in the LogOn method is still assuming an anonymous user, so your IsInRole check fails and you are redirected home. Put your if statement on another page and after you've signed in, you'll see that now User.IsInRole works as expected. (And indeed, this is what you'd use User.IsInRole for, just not during the logon process)

So how to check during the actual logon process? Roles.IsUserInRole or Roles.GetRolesForUser are a couple of ways, eg.:

if (Roles.IsUserInRole(userName, "Administrator") || Roles.IsUserInRole(userName, "Administrator"))
{
    return RedirectToAction("Index", "AdminApp");
}

You must explicitly specify the user name of the user logging in, which will actually execute a query against the membership datastore. On that note, I believe the above code would as a result cause two queries to be executed, which you may find less than ideal. This is where Roles.GetRolesForUser might be a better option:

string[] roles = Roles.GetRolesForUser(userName);
if (roles.Contains("Administrator") || roles.Contains("Manager"))
{
    return RedirectToAction("Index", "AdminApp");
}

Hope that helps!

Kurt Schindler  2009-12-10 16:54:39
worked like a charm! I appreciate the help!
Ben  2009-12-19 00:06:12

related questions

What's the best way to implement field validation using ASP.NET MVC?
How do I handle page flow in MVC (particularly asp.net)
Entity diagrams in ASP.NET MVC
How do I get rid of Home in ASP.Net MVC?
Can I generate ASP.NET MVC routes from a Sitemap?
ASP.NET Model-view-controller (MVC) - where do I start from?
user controls and asp.net mvc
ASP.Net MVC route mapping
RSS Feeds in ASP.NET MVC
Open Source Licensing Options for ASP.NET MVC Application?
Does the OutputCacheFilter in the Microsoft MVC Preview 4 actually save on action invocations?
MVC Learning Resources
Validating posted form data in the ASP.NET MVC framework
Best mock framework that can do both WebForms and MVC?
Use the routing engine for form submissions in ASP.NET MVC Preview 4
How do you get a custom id to render using HtmlHelper in MVC
MVC Preview 4 - No route in the route table matches the supplied values.
Is there a way to include a fragment identifier when using Asp.Net MVC ActionLink, RedirectToAction, etc. ?
In ASP.NET MVC I encounter an incorrect type error when rendering a user control with the correct typed object
ASP.NET MVC - Is it worth it yet?
Multiple languages in an ASP.NET MVC application?
Is it better to create Model classes, or just stick with generic database utility class?
ASP.NET MVC Without Visual Studio
ASP.NET MVC "CRUD" Database Sample
How to RedirectToAction in ASP.NET MVC without losing request data