We have a site where users can have multiple roles, and certain content is only available to certain user levels and above. This has been implemented so that when the content authors enter the content they set the appropriate permissions for the user groups before publishing.
This all works as expected, but when a user who doesn't have a necessary role hits a page, he is redirected to the login page with no explanation as to why. Since they are already logged in, this is confusing to them.
Is there a way I can capture the page view and detect that there was insufficient access level and then message the user appropriately by redirecting them to a a more obvious error message? At a minimum, I'd rather return a 401 than redirect to the login screen, but really I'd rather just redirect them to a page with messaging indicating that the content they are trying to reach is only available to certain users.
Seems like this should be do-able, I just not sure how and what hooks to use.
Thanks in advance!
If you are using MVC then you can inherit the EPiServer AuthorizeContentAttribute, implement IAuthorizationFilter and inherit a custom OnAuthorisation method that you can then use to redirect to your login page. This attribute needs to be applied to each page controller where you want this rule to be applied. A very quick/simple POC can seen below that does this:
public class CustomAuthorizeContentAttribute : AuthorizeContentAttribute, IAuthorizationFilter
public void OnAuthorization(AuthorizationContext filterContext)
//Check if user doesn't have authorisation to the content
if (filterContext != null && filterContext.Result != null && filterContext.Result.GetType() == typeof(HttpUnauthorizedResult))
// Check if the user is logged in
var context = filterContext.HttpContext;
if (context.User != null && context.User.Identity != null && context.User.Identity.IsAuthenticated)
//User is authenticated and they don't have access so redirect to not authorised page
filterContext.Result = new RedirectResult("/not-authorised-page/");
Example controller (from AlloyMVC):
[TemplateDescriptor(Inherited = true)]
public class DefaultPageController : PageControllerBase
If you are using WebForms you can override AccessDenied on PageBase: http://world.episerver.com/Documentation/Class-library/?documentId=cms/7.5/EC4A185.
Let me know how you get on.
Thanks! I am using MVC, and ended up finding Tarjei Olsen's post which outlined overriding a controller's OnAuthorize once I changed my search query to Access Denied, but your solution looks even a little simpler. Thanks a ton!