In my FilterConfig, I define a global authorize attribute. By doing that, I disallow anonymous access to all controllers by default - so that users need to log in.
public class FilterConfig
{
public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
filters.Add(new RedirectToHomeOnCryptographicExceptionAttribute());
filters.Add(new System.Web.Mvc.AuthorizeAttribute());
}
}
Then I have my controller class. I want one method to be restricted to users who have the role Admin.
public class FilesController : Controller
{
[Authorize(Roles="Admin")]
public ActionResult TestAccess()
{
if (!User.IsInRole("Admin"))
return Content("Authorization not working as expected");
return Content("hello");
}
}
When I now log in with a non-admin user and open /Files/TestAccess, I get "Authorization not working as expected". That's strange, I would have expected the [Authorize(...)] on the method to allow only admins.
How can I prevent non-admins from accessing my controller action?
I'm using Brock Allen's MembershipReboot for login and user management.