search

aspnet / Templates

This repo is OBSOLETE - please see the README file for information
Other
150 stars 57 forks source link

missing /Account/AccessDenied method/view for unauthorized requests #608

Closed Rick-Anderson closed 8 years ago

Rick-Anderson commented 8 years ago

By default, when you 

return new ChallengeResult();

for unauthorized requests, you are redirected to

http://localhost:port/Account/AccessDenied?ReturnUrl=

The account controller needs an AccessDenied method/view.

phenning commented 8 years ago

What did you use for the base template?

Do you have a repro project?

I can't repro this with either NoAuth or IndividualAuth.

Rick-Anderson commented 8 years ago

Closing until I come up with a repro

Rick-Anderson commented 8 years ago
  1. Create a new web app with auth
  2. Update the contact method in the home controller with the following:
public IActionResult Contact()
{
    ViewData["Message"] = "Your contact page.";

    //return View();
    return new ChallengeResult();
}

Launch and Tap on Contact. You are redirected to the log in page. Tap the register link and register. Tap the Contact link again. This time you're redirected to http://localhost:2207/Account/AccessDenied?ReturnUrl=%2Fcontacts%2FEdit%2F1

which does not exist so you get a 404 on some browsers, nothing on others.

phenning commented 8 years ago

@Haok, should we add an AccessDenied action here for the CookieAuthentication handler to handle this?

preview2 or post?

@mlorbetske @sayedihashimi

phenning commented 8 years ago

/cc @balachir @Eilon

HaoK commented 8 years ago

Yeah probably a nicer error experience

phenning commented 8 years ago

I talked to @barrytang, we'll take this post preview2, for now if people run into this they can add the view and code in the referenced pull request.

Rick-Anderson commented 8 years ago

@phenning thanks. I'll document this. Do you need [AllowAnonymous] ? The request in authenticated at this point.

phenning commented 8 years ago

Actually, I don’t think we need to use AllowAnonymous in this case.

From: Rick Anderson [mailto:notifications@github.com] Sent: Wednesday, June 15, 2016 2:24 PM To: aspnet/Templates Templates@noreply.github.com Cc: Phil Henning Phil.Henning@microsoft.com; Mention mention@noreply.github.com Subject: Re: [aspnet/Templates] missing /Account/AccessDenied method/view for unauthorized requests (#608)

@phenninghttps://github.com/phenning thanks. I'll document this. Do you need [AllowAnonymous] ? The request in authenticated at this point.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/aspnet/Templates/issues/608#issuecomment-226324514, or mute the threadhttps://github.com/notifications/unsubscribe/ACUi1hDEo6oXQbadqnv4bDfAi4f-cMibks5qMG1ygaJpZM4I2noJ.