I realise that I can prevent unauthenticated users from accessing views at controller level by applying the [Authorize] attribute and can also filter views down to individual users or roles using this. However, my question is regarding doing the opposite… Is there a way to deny authenticated users from certain views without having to manually add in checks to see if they’re authenticated in the opening lines of the controller code? Ideally an [Unauthorized] attribute or an equivalent if such a thing exists?
The reason for this is that I don’t want authenticated users to be able to visit the account creation pages of the site I’m working on, as well as other resources. I realise I could check them in the controller explicitly but I’d prefer to decorate the controller methods if at all possible.
Thanks 🙂
You can write your own authorization filter. Inherit from FilterAttribute and implement IAuthorizationFilter. Call it UnauthorizedAttibute and you will be able to use it like [Authorize].
Hear You can read about filters:
http://www.asp.net/LEARN/mvc/tutorial-14-cs.aspx