This project is read-only.

Multi Tenancy HttpUnauthorizedResult weirdness

Topics: Core, General, Troubleshooting
Apr 3, 2014 at 1:35 AM

I've been playing around with multi tenancy in Orchard for a project that I'm working on at the moment, and I've noticed that the default forms authorization service relies on the settings in web.config for where it redirects users when a HttpUnauthorizedResult is returned from a controller like so:
<authentication mode="Forms">
    <forms loginUrl="~/Users/Account/AccessDenied" timeout="2880"/>
This leads to significant weirdness when you try to access a page for which you aren't authorized for in a sub-tenant, because it redirects you to the access denied page of the Default tenant (or whichever tenant is set up as the site root).

On a happy note, I've managed to come up with a fix for this, which I recommend gets rolled into the Orchard.MultiTenancy module, or the Orchard.Exceptions.Filters namespace. It's essentially another IActionFilter/FilterProvider class:
public class UnauthorizedAccessFilter : FilterProvider, IActionFilter
    public void OnActionExecuting(ActionExecutingContext filterContext)

    public void OnActionExecuted(ActionExecutedContext filterContext)
        if (filterContext.Result is HttpUnauthorizedResult)
            var request = filterContext.RequestContext.HttpContext.Request;
            var url = request.RawUrl;

            // If the url is relative then replace with Requested path
            string returnUrl = request.Url.OriginalString.Contains(url) & request.Url.OriginalString != url ?
                request.Url.OriginalString : url;

            filterContext.Result = new RedirectToRouteResult(
                new RouteValueDictionary(
                        action = "AccessDenied",
                        controller = "Account",
                        area = "Orchard.Users",
                        ReturnUrl = returnUrl
Apr 3, 2014 at 5:29 PM
it has been fixed in 1.8