1

I have a website that has for examples pages A, B, C, D,.... I want that the user can only access page A once he has registered. To access the remaining pages the user needs to complete some joining formalities which include making a payment among others.

Now the simple way would be where I add a check in all my pages currently completed to make sure that the pages B, C, D... requested are displayed only if the user has completed all joining formalities. This will need me to re work all those existing pages all over again. Also, all future pages developed will need to remember to add that check.

To come around this I used a custom authorize attribute class that inherits from AuthorizeAttribute and made a check in the overridden OnAuthorization method there as in the snippet below

        else if (!SessionCache.FormalitiesCompleted)
        {
            //force completion of formalities
            if (!( string.Equals(filterContext.ActionDescriptor.ActionName, "Index", StringComparison.InvariantCultureIgnoreCase)
                  || string.Equals(filterContext.ActionDescriptor.ActionName, "Options", StringComparison.InvariantCultureIgnoreCase)
                  || string.Equals(filterContext.ActionDescriptor.ActionName, "Index_B", StringComparison.InvariantCultureIgnoreCase)
                  || string.Equals(filterContext.ActionDescriptor.ActionName, "Index_C", StringComparison.InvariantCultureIgnoreCase)
                    && string.Equals(filterContext.ActionDescriptor.ControllerDescriptor.ControllerName, "Formalities", StringComparison.InvariantCultureIgnoreCase)))
            {
                string _action = filterContext.ActionDescriptor.ActionName;
                filterContext.Result = new RedirectToRouteResult(new RouteValueDictionary(new { controller = "Formalities", action = _action, area = "FormalitiesArea" }));
            }


        }

As you can see there are too many OR conditions in the IF. I suspect this will increase as the complexity of the formality increases.

Is there a better way to enforce the user doesn't visit any other page on the site unless the formalities are completed?

Thanks for your time.

Improve this question

3 Answers 3

Reset to default
2

You probably should look at the [Authorize attribute] http://msdn.microsoft.com/en-us/library/system.web.mvc.authorizeattribute.aspx If you decorate an action with that attribute only logged in users can access it and others will be redirected to the login page.

For Paid/Registered users, I would inherit from this and make a PaidUserAuthorize attribute:

public class PaidUserAuthorizeAttribute : AuthorizeAttribute
{
    public override void OnAuthorization(AuthorizationContext filterContext)
    {
        base.OnAuthorization(filterContext);

        if(filterContext.Result is HttpUnauthorizedResult)
        {
            filterContext.Result = new RedirectResult("/PaymentPage");
        }
    }
}

Therefore decorating an action with

[PaidUserAuthorize(Roles = "PaidUser", "Super User")]

will redirect unpaid users to the payment page.

After a user pays - add them to the PaidUser role. So when they go to the action again they will be allowed access.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

You can create an Actin Filter and apply it to the Actions or Classes that you want to restrict access too. In you actions filter, you'll want to override the OnActionExecuting method and implement your checking logic in there. You can allow or deny access to those views based on whatever you want to do

Check this link out for a sample

Improve this answer

Comments

0

What about using the [Authorize] annotation in your Controllers? By creating your own AuthorizeAttributes you should be able to customise the authorisation per action based on whatever MembershipProvider you choose to use or create.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.