You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The behaviour of AbpAuthorizationFilter for users who have logged in but doesn't have the required permission(s) is to redirect them to the login page. My unauthorised users were so confused as to why they have to re-login over and over again thinking it's a bug with the system.
I think it's better to prompt users with an error instead of silently redirecting them back to the login page which might lead them to think they have been logged out for some reasons.
Somewhere along the lines in AbpAuthorizationFilter.cs above, we could do:
if (ActionResultHelper.IsObjectResult(context.ActionDescriptor.GetMethodInfo().ReturnType))
{
...
}
else
{
if (context.HttpContext.User.Identity?.IsAuthenticated ?? false)
{
context.Result = new StatusCodeResult((int)System.Net.HttpStatusCode.Forbidden);
context.HttpContext.Items.Add("error", ex.Message); // store the error message so that it could be retrieved and displayed in Error 403 cshtml. Supposed to only work using 'app.UseStatusCodePagesWithReExecute("/Error/{0}");' instead of 'app.UseStatusCodePagesWithRedirects("/Error/{0}");'
}
else
{
context.Result = new ChallengeResult();
}
}
The text was updated successfully, but these errors were encountered:
The behaviour of
AbpAuthorizationFilter
for users who have logged in but doesn't have the required permission(s) is to redirect them to the login page. My unauthorised users were so confused as to why they have to re-login over and over again thinking it's a bug with the system.aspnetboilerplate/src/Abp.AspNetCore/AspNetCore/Mvc/Authorization/AbpAuthorizationFilter.cs
Lines 59 to 78 in d9706cb
This behaviour is different from the original ASP.NET Core that returns a 403 which I think is a more correct way.
https://github.com/dotnet/aspnetcore/blob/bec278eabea54f63da15e10e654bdfa4168a2479/src/Security/Authorization/Policy/src/PolicyEvaluator.cs#L94-L108
There have been several attempts by others to retain ASP.NET Core original's behaviour:
https://stackoverflow.com/questions/51027406/asp-net-boilerplate-net-core-2-0-abpauthorizationfilter-challengeresult-una
https://support.aspnetzero.com/QA/Questions/7382/Redirect-authenticated-user-without-permission-to-a-page-instead-of-login
https://support.aspnetzero.com/QA/Questions/4049#answer-447ec9e8-b664-4f5a-b75f-313a2a2236f3
I think it's better to prompt users with an error instead of silently redirecting them back to the login page which might lead them to think they have been logged out for some reasons.
Somewhere along the lines in
AbpAuthorizationFilter.cs
above, we could do:The text was updated successfully, but these errors were encountered: